Remove invalid characters from app id to prevent loading of invalid resources

4 files changed, 4 insertions, 2 deletions

diff --git a/settings/ajax/disableapp.php b/settings/ajax/disableapp.php
index e89de928eac..466a719157d 100644
--- a/settings/ajax/disableapp.php
+++ b/settings/ajax/disableapp.php
@@ -2,6 +2,6 @@
 OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 
-OC_App::disable($_POST['appid']);
+OC_App::disable(OC_App::cleanAppId($_POST['appid']));
 
 OC_JSON::success();
diff --git a/settings/ajax/enableapp.php b/settings/ajax/enableapp.php
index 18202dc39e9..ab84aee5166 100644
--- a/settings/ajax/enableapp.php
+++ b/settings/ajax/enableapp.php
@@ -3,7 +3,7 @@
 OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 
-$appid = OC_App::enable($_POST['appid']);
+$appid = OC_App::enable(OC_App::cleanAppId($_POST['appid']));
 if($appid !== false) {
 	OC_JSON::success(array('data' => array('appid' => $appid)));
 } else {
diff --git a/settings/ajax/navigationdetect.php b/settings/ajax/navigationdetect.php
index 93acb50dc20..607c0e873f9 100644
--- a/settings/ajax/navigationdetect.php
+++ b/settings/ajax/navigationdetect.php
@@ -4,6 +4,7 @@ OC_Util::checkAdminUser();
 OCP\JSON::callCheck();
 
 $app = $_GET['app'];
+$app = OC_App::cleanAppId($app);
 
 //load the one app and see what it adds to the navigation
 OC_App::loadApp($app);
diff --git a/settings/ajax/updateapp.php b/settings/ajax/updateapp.php
index 77c0bbc3e36..9367a3b5a3b 100644
--- a/settings/ajax/updateapp.php
+++ b/settings/ajax/updateapp.php
@@ -4,6 +4,7 @@ OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 
 $appid = $_POST['appid'];
+$appid = OC_App::cleanAppId($appid);
 
 $result = OC_Installer::updateApp($appid);
 if($result !== false) {