Also disallow ; in remote urls

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php
index c5dd21cda30e8e0d158f9e6571bbb6c29979a107..96b9ebffac86d2c02813e64ef5ba013acf4c677c 100644 (file)
--- a/apps/files_sharing/lib/Controller/ExternalSharesController.php
+++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php
@@ -131,7 +131,7 @@ class ExternalSharesController extends Controller {
         * @return DataResponse
         */
        public function testRemote($remote) {
-               if (strpos($remote, '#') !== false || strpos($remote, '?') !== false) {
+               if (strpos($remote, '#') !== false || strpos($remote, '?') !== false || strpos($remote, ';') !== false) {
                        return new DataResponse(false);
                }
 

diff --git a/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php b/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php
index 9d8ee9a9d4217a98db535f9237f34c0ecaa0f952..d6a4ee8d4f31097f23ea6083674e5a65b180e49d 100644 (file)
--- a/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php
+++ b/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php
@@ -162,6 +162,7 @@ class ExternalShareControllerTest extends \Test\TestCase {
                return [
                        ['nextcloud.com?query'],
                        ['nextcloud.com/#anchor'],
+                       ['nextcloud.com/;tomcat'],
                ];
        }