From 609b8aff12935ac158d60491fe7211946ed28838 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 24 Mar 2020 14:20:15 +0100
Subject: [PATCH] Also disallow ; in remote urls

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/files_sharing/lib/Controller/ExternalSharesController.php  | 2 +-
 .../tests/Controller/ExternalShareControllerTest.php            | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php
index c5dd21cda3..96b9ebffac 100644
--- a/apps/files_sharing/lib/Controller/ExternalSharesController.php
+++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php
@@ -131,7 +131,7 @@ class ExternalSharesController extends Controller {
 	 * @return DataResponse
 	 */
 	public function testRemote($remote) {
-		if (strpos($remote, '#') !== false || strpos($remote, '?') !== false) {
+		if (strpos($remote, '#') !== false || strpos($remote, '?') !== false || strpos($remote, ';') !== false) {
 			return new DataResponse(false);
 		}
 
diff --git a/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php b/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php
index 9d8ee9a9d4..d6a4ee8d4f 100644
--- a/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php
+++ b/apps/files_sharing/tests/Controller/ExternalShareControllerTest.php
@@ -162,6 +162,7 @@ class ExternalShareControllerTest extends \Test\TestCase {
 		return [
 			['nextcloud.com?query'],
 			['nextcloud.com/#anchor'],
+			['nextcloud.com/;tomcat'],
 		];
 	}