upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-01 13:00:44 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

fix(ContactsStore): Sanitize user ID given to guest avatar route

Browse source 
It is not allowed to use slashes within path parameters, so they would need to be encoded.
But URL encoded slashes are not suported by Apache, so instead replace slash with space.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen 2024-02-03 11:32:51 +01:00
parent 05a03dd663
commit 2c8aee8f99
No known key found for this signature in database
GPG key ID: 45FAE7268762B400
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/private/Contacts/ContactsMenu/ContactsStore.php
View file

@ -353,9 +353,9 @@ class ContactsStore implements IContactsStore {
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.avatar.getAvatar', ['userId' => $uid, 'size' => 64]);
$entry->setProperty('isUser', true);
} elseif (!empty($contact['FN'])) {
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $contact['FN'], 'size' => 64]);
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $contact['FN']), 'size' => 64]);
} else {
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $uid, 'size' => 64]);
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $uid), 'size' => 64]);
}
$entry->setAvatar($avatar);
}