From e123a534fd7feb6d6271526590396144c7305739 Mon Sep 17 00:00:00 2001
From: Oleksander Piskun <oleksandr2088@icloud.com>
Date: Thu, 14 May 2026 05:40:53 +0000
Subject: [PATCH] fix(proxy): validate request path before forwarding to ExApp

Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
---
 lib/Controller/ExAppProxyController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/Controller/ExAppProxyController.php b/lib/Controller/ExAppProxyController.php
index 71fe0b29..c65b8098 100644
--- a/lib/Controller/ExAppProxyController.php
+++ b/lib/Controller/ExAppProxyController.php
@@ -231,6 +231,12 @@ private function prepareProxy(
 		string $appId, string $other, array &$route, array &$bruteforceProtection, int &$delay
 	): ?ExApp {
 		$delay = 0;
+		if (preg_match('#(?:^|/|%2[fF])(?:\.|%2[eE]){2}(?:/|%2[fF]|$)#', $other) === 1) {
+			$this->logger->debug(
+				sprintf('Returning status 404 for "%s": path contains a parent-directory segment.', $other)
+			);
+			return null;
+		}
 		$exApp = $this->exAppService->getExApp($appId);
 		if ($exApp === null) {
 			$this->logger->debug(