From 3e4735f029db38b24bef97e90e60a6db48b714d5 Mon Sep 17 00:00:00 2001
From: Oleksander Piskun <oleksandr2088@icloud.com>
Date: Thu, 14 May 2026 05:40:53 +0000
Subject: [PATCH] fix(proxy): validate request path before forwarding to ExApp

Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
---
 lib/Controller/ExAppProxyController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/Controller/ExAppProxyController.php b/lib/Controller/ExAppProxyController.php
index dd844082..b3d2b54f 100644
--- a/lib/Controller/ExAppProxyController.php
+++ b/lib/Controller/ExAppProxyController.php
@@ -236,6 +236,12 @@ private function prepareProxy(
 		string $appId, string $other, array &$route, array &$bruteforceProtection, int &$delay
 	): ?ExApp {
 		$delay = 0;
+		if (preg_match('#(?:^|/|%2[fF])(?:\.|%2[eE]){2}(?:/|%2[fF]|$)#', $other) === 1) {
+			$this->logger->debug(
+				sprintf('Returning status 404 for "%s": path contains a parent-directory segment.', $other)
+			);
+			return null;
+		}
 		$exApp = $this->exAppService->getExApp($appId);
 		if ($exApp === null) {
 			$this->logger->debug(