fix(ContactsStore): Sanitize user ID given to guest avatar route

It is not allowed to use slashes within path parameters, so they would need to be encoded. But URL encoded slashes are not suported by Apache, so instead replace slash with space. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-02-03 11:32:51 +07:00 · 2024-02-03 11:32:51 +07:00 · d15d7bcba0
parent 5dc2200ca0
commit d15d7bcba0
1 changed files with 2 additions and 2 deletions
--- a/lib/private/Contacts/ContactsMenu/ContactsStore.php
+++ b/lib/private/Contacts/ContactsMenu/ContactsStore.php
@ -343,9 +343,9 @@ class ContactsStore implements IContactsStore {
 				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.avatar.getAvatar', ['userId' => $uid, 'size' => 64]);
 				$entry->setProperty('isUser', true);
 			} elseif (!empty($contact['FN'])) {
-				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $contact['FN'], 'size' => 64]);
+				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $contact['FN']), 'size' => 64]);
 			} else {
-				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => $uid, 'size' => 64]);
+				$avatar = $this->urlGenerator->linkToRouteAbsolute('core.GuestAvatar.getAvatar', ['guestName' => str_replace('/', ' ', $uid), 'size' => 64]);
 			}
 			$entry->setAvatar($avatar);
 		}