From 2c8aee8f99c20a8ff7b8fdcdaf152aa86b549540 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Sat, 3 Feb 2024 11:32:51 +0100
Subject: fix(ContactsStore): Sanitize user ID given to guest avatar route

It is not allowed to use slashes within path parameters, so they would need to be encoded.
But URL encoded slashes are not suported by Apache, so instead replace slash with space.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 lib/private/Contacts/ContactsMenu/ContactsStore.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/private/Contacts')

diff --git a/lib/private/Contacts/ContactsMenu/ContactsStore.php b/lib/private/Contacts/ContactsMenu/ContactsStore.php
index 1b3ef55cf20..2f141cbc0ab 100644
--- a/lib/private/Contacts/ContactsMenu/ContactsStore.php
+++ b/lib/private/Contacts/ContactsMenu/ContactsStore.php
@@ -353,9 +353,9 @@ class ContactsStore implements IContactsStore {
 				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.avatar.getAvatar', ['userId' => $uid, 'size' => 64]);
 				$entry->setProperty('isUser', true);
 			} elseif (!empty($contact['FN'])) {
-				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $contact['FN'], 'size' => 64]);
+				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $contact['FN']), 'size' => 64]);
 			} else {
-				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $uid, 'size' => 64]);
+				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $uid), 'size' => 64]);
 			}
 			$entry->setAvatar($avatar);
 		}
-- 
cgit v1.2.3