Skip to content

Commit

Permalink
fix(ContactsStore): Sanitize user ID given to guest avatar route
Browse files Browse the repository at this point in the history 
It is not allowed to use slashes within path parameters, so they would need to be encoded.
But URL encoded slashes are not suported by Apache, so instead replace slash with space.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
  • Loading branch information
@susnux @backportbot
susnux authored and backportbot[bot] committed Feb 7, 2024
1 parent 5dc2200 commit d15d7bc
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/private/Contacts/ContactsMenu/ContactsStore.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -343,9 +343,9 @@ private function contactArrayToEntry(array $contact): Entry {
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.avatar.getAvatar', ['userId' => $uid, 'size' => 64]);
$entry->setProperty('isUser', true);
} elseif (!empty($contact['FN'])) {
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $contact['FN'], 'size' => 64]);
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $contact['FN']), 'size' => 64]);
} else {
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $uid, 'size' => 64]);
$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $uid), 'size' => 64]);
}
$entry->setAvatar($avatar);
}
Expand Down

0 comments on commit d15d7bc

Please sign in to comment.