Merge pull request #871 from nextcloud/backport/867/stable30

[stable30] fix(proxy): validate request path before forwarding to ExApp

Author: oleksandr-nc

lib/Controller/ExAppProxyController.php

@@ -231,6 +231,12 @@ private function prepareProxy(
 		string $appId, string $other, array &$route, array &$bruteforceProtection, int &$delay
 	): ?ExApp {
 		$delay = 0;
+		if (preg_match('#(?:^|/|%2[fF])(?:\.|%2[eE]){2}(?:/|%2[fF]|$)#', $other) === 1) {
+			$this->logger->debug(
+				sprintf('Returning status 404 for "%s": path contains a parent-directory segment.', $other)
+			);
+			return null;
+		}
 		$exApp = $this->exAppService->getExApp($appId);
 		if ($exApp === null) {
 			$this->logger->debug(