chore: stricter access to testremote endpoint

Altahrim · Altahrim · commit ae1c3b372e2a · 2024-11-28T11:22:15.000+01:00
Signed-off-by: Benjamin Gaussorgues &lt;benjamin.gaussorgues@nextcloud.com&gt;
diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php
@@ -100,10 +100,11 @@ protected function testUrl($remote, $checkVersion = false) {
 	 *
 	 * @param string $remote
 	 * @return DataResponse
+	 * @AnonRateThrottle(limit=5, period=120)
 	 */
 	#[PublicPage]
 	public function testRemote($remote) {
-		if (str_contains($remote, '#') || str_contains($remote, '?') || str_contains($remote, ';')) {
+		if (preg_match('%[!#$&\'()*+,;=?@[\]]%', $remote)) {
 			return new DataResponse(false);
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -100,10 +100,11 @@ protected function testUrl($remote, $checkVersion = false) {`
`100`	`100`	`*`
`101`	`101`	`* @param string $remote`
`102`	`102`	`* @return DataResponse`
	`103`	`+ * @AnonRateThrottle(limit=5, period=120)`
`103`	`104`	`*/`
`104`	`105`	`#[PublicPage]`
`105`	`106`	`public function testRemote($remote) {`
`106`		`- if (str_contains($remote, '#') \|\| str_contains($remote, '?') \|\| str_contains($remote, ';')) {`
	`107`	`+ if (preg_match('%[!#$&\'()*+,;=?@[\]]%', $remote)) {`
`107`	`108`	`return new DataResponse(false);`
`108`	`109`	`}`
`109`	`110`