$nameSearchPattern was passed in and directly appended to the SQL query. Luckily the code path isn't reached anywhere in Nextcloud or the included apps.
The Nextcloud and ownCloud updaters allow someone to configure a custom release channel, this can then be used to publish different versions. (e.g. one channel stays on 9.x while another one already gets 10.x)
There is however one big problem with it: The value is effectively stored in the app config, which is stored in the database. So to be able to read the update channel a connection to the database is necessary. This is quite error prone and also causes some of the issues in the original ownCloud updater.
This moves the channel registration to the config.php and also includes a repair step.
When no cookies are sent it is not required to perform any check for the strict or lax cookie, it does not provide any significant security advantage.
It does however interfer with the Android client which requests thumbnails from the unofficial API at `/index.php/apps/files/api/v1/thumbnail/256/256/{filename}`. This endpoint expects the strict cookie to be existent to not leak the existence of files. The Android client authenticates against this endpoint using Basic Auth and without cookies in some cases at least. This will make these endpoints work again with such cases.
To test this issue the following cURL command once without the patch and once with:
> curl http://localhost/index.php/apps/files/api/v1/thumbnail/256/256/welcome.txt -u admin -v
Without the patch the request is redirected (which the client does not obey) and with the patch the preview is returned.
As the apps from the appstore are at the moment signed by the ownCloud Root CA we have to add it as fallback as well. We can remove that once Nextcloud 10 with new appstore has been released.
At the moment we want to hide the help link from the personal sidebar as it contains the original ownCloud documentation.
Once we have our own documentation with our proper branding and so on we can reenable this.
