diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-02-03 11:32:51 +0100 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-02-07 09:23:52 +0000 |
| commit | d15d7bcba0c1022a3bc943ca36ee6bdebe6fb25b (patch) | |
| tree | 1b5a72ba2f3c0210f26d4b3381402d2f4377f2ac /lib/private | |
| parent | 5dc2200ca02d4461ac61dd0e68bcbfa76068435c (diff) | |
| download | nextcloud-server-d15d7bcba0c1022a3bc943ca36ee6bdebe6fb25b.tar.gz nextcloud-server-d15d7bcba0c1022a3bc943ca36ee6bdebe6fb25b.zip | |
fix(ContactsStore): Sanitize user ID given to guest avatar route
It is not allowed to use slashes within path parameters, so they would need to be encoded.
But URL encoded slashes are not suported by Apache, so instead replace slash with space.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/Contacts/ContactsMenu/ContactsStore.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/private/Contacts/ContactsMenu/ContactsStore.php b/lib/private/Contacts/ContactsMenu/ContactsStore.php index 25a90e5f0f7..d4d3042a3b4 100644 --- a/lib/private/Contacts/ContactsMenu/ContactsStore.php +++ b/lib/private/Contacts/ContactsMenu/ContactsStore.php @@ -343,9 +343,9 @@ class ContactsStore implements IContactsStore { $avatar = $this->urlGenerator->linkToRouteAbsolute('core.avatar.getAvatar', ['userId' => $uid, 'size' => 64]); $entry->setProperty('isUser', true); } elseif (!empty($contact['FN'])) { - $avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $contact['FN'], 'size' => 64]); + $avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $contact['FN']), 'size' => 64]); } else { - $avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $uid, 'size' => 64]); + $avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $uid), 'size' => 64]); } $entry->setAvatar($avatar); } |