chore: stricter access to testremote endpoint

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
author: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> 2024-11-28 11:05:06 +0100
committer: backportbot[bot] <backportbot[bot]@users.noreply.github.com> 2024-11-28 10:49:27 +0000
commit: 7699598b9449f3636af0eb9f328ae422449d07a0 (patch)
tree: 00c79458ea8bc0350a4c840eda0c5727f26e0d5c /apps
parent: 40e60366fa709ac47463a5cec664f849f28f86f2 (diff)
download: nextcloud-server-7699598b9449f3636af0eb9f328ae422449d07a0.tar.gz
nextcloud-server-7699598b9449f3636af0eb9f328ae422449d07a0.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php
index 70e9eb5c465..e7189dabfbd 100644
--- a/apps/files_sharing/lib/Controller/ExternalSharesController.php
+++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php
@@ -100,10 +100,11 @@ class ExternalSharesController extends Controller {
 	 *
 	 * @param string $remote
 	 * @return DataResponse
+	 * @AnonRateThrottle(limit=5, period=120)
 	 */
 	#[PublicPage]
 	public function testRemote($remote) {
-		if (str_contains($remote, '#') || str_contains($remote, '?') || str_contains($remote, ';')) {
+		if (preg_match('%[!#$&\'()*+,;=?@[\]]%', $remote)) {
 			return new DataResponse(false);
 		}
author	Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2024-11-28 11:05:06 +0100
committer	backportbot[bot] <backportbot[bot]@users.noreply.github.com>	2024-11-28 10:49:27 +0000
commit	7699598b9449f3636af0eb9f328ae422449d07a0 (patch)
tree	00c79458ea8bc0350a4c840eda0c5727f26e0d5c /apps
parent	40e60366fa709ac47463a5cec664f849f28f86f2 (diff)
download	nextcloud-server-7699598b9449f3636af0eb9f328ae422449d07a0.tar.gz nextcloud-server-7699598b9449f3636af0eb9f328ae422449d07a0.zip