Merge pull request #49543 from nextcloud/backport/49541/stable29

author: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> 2024-11-28 13:56:24 +0100
committer: GitHub <noreply@github.com> 2024-11-28 13:56:24 +0100
commit: a065dc0c769157f362d18265630cf38b43b2a5aa (patch)
tree: ac79ceb8863fbf368bc04323552000687bf2b62c
parent: 5eb3534d7e23234353e8c8956fa54e1217ab20e3 (diff)
parent: e39137de2d6adafcb6300bd7dc1b5f54ff0b71db (diff)
download: nextcloud-server-a065dc0c769157f362d18265630cf38b43b2a5aa.tar.gz
nextcloud-server-a065dc0c769157f362d18265630cf38b43b2a5aa.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php
index 726e99345fa..d62df7a071d 100644
--- a/apps/files_sharing/lib/Controller/ExternalSharesController.php
+++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php
@@ -118,9 +118,10 @@ class ExternalSharesController extends Controller {
 	 *
 	 * @param string $remote
 	 * @return DataResponse
+	 * @AnonRateThrottle(limit=5, period=120)
 	 */
 	public function testRemote($remote) {
-		if (str_contains($remote, '#') || str_contains($remote, '?') || str_contains($remote, ';')) {
+		if (preg_match('%[!#$&\'()*+,;=?@[\]]%', $remote)) {
 			return new DataResponse(false);
 		}
author	Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2024-11-28 13:56:24 +0100
committer	GitHub <noreply@github.com>	2024-11-28 13:56:24 +0100
commit	a065dc0c769157f362d18265630cf38b43b2a5aa (patch)
tree	ac79ceb8863fbf368bc04323552000687bf2b62c
parent	5eb3534d7e23234353e8c8956fa54e1217ab20e3 (diff)
parent	e39137de2d6adafcb6300bd7dc1b5f54ff0b71db (diff)
download	nextcloud-server-a065dc0c769157f362d18265630cf38b43b2a5aa.tar.gz nextcloud-server-a065dc0c769157f362d18265630cf38b43b2a5aa.zip