Merge pull request #28726 from nextcloud/check-if-path-is-valid

Check if SVG path is valid

2 files changed, 6 insertions, 1 deletions

diff --git a/core/Controller/SvgController.php b/core/Controller/SvgController.php
index ea73ba118d9..17f16dd48e6 100644
--- a/core/Controller/SvgController.php
+++ b/core/Controller/SvgController.php
@@ -31,6 +31,7 @@ declare(strict_types=1);
  */
 namespace OC\Core\Controller;
 
+use OC\Files\Filesystem;
 use OC\Template\IconsCacher;
 use OCP\App\AppPathNotFoundException;
 use OCP\App\IAppManager;
@@ -117,6 +118,10 @@ class SvgController extends Controller {
 	 * @return DataDisplayResponse|NotFoundResponse
 	 */
 	private function getSvg(string $path, string $color, string $fileName) {
+		if (!Filesystem::isValidPath($path)) {
+			return new NotFoundResponse();
+		}
+
 		if (!file_exists($path)) {
 			return new NotFoundResponse();
 		}
diff --git a/tests/Core/Controller/SvgControllerTest.php b/tests/Core/Controller/SvgControllerTest.php
index c8d0ea5f503..f44440389ff 100644
--- a/tests/Core/Controller/SvgControllerTest.php
+++ b/tests/Core/Controller/SvgControllerTest.php
@@ -183,7 +183,7 @@ class SvgControllerTest extends TestCase {
 		$this->appManager->expects($this->once())
 			->method('getAppPath')
 			->with($appName)
-			->willReturn(__DIR__ . '/../../../apps/' . $appName);
+			->willReturn(realpath(__DIR__ . '/../../../apps/') . '/' . $appName);
 
 		$response = $this->svgController->getSvgFromApp($appName, $name, $color);