From 39b15269c99a2b6d123ddb75b9c00c9356720dfd Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 6 Sep 2021 10:46:12 +0000
Subject: [PATCH 1/3] Check if SVG path is valid

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 core/Controller/SvgController.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/Controller/SvgController.php b/core/Controller/SvgController.php
index ff0a21ba516..3aa9e73c859 100644
--- a/core/Controller/SvgController.php
+++ b/core/Controller/SvgController.php
@@ -32,6 +32,7 @@ declare(strict_types=1);
 
 namespace OC\Core\Controller;
 
+use OC\Files\Filesystem;
 use OC\Template\IconsCacher;
 use OCP\App\AppPathNotFoundException;
 use OCP\App\IAppManager;
@@ -118,6 +119,10 @@ class SvgController extends Controller {
 	 * @return DataDisplayResponse|NotFoundResponse
 	 */
 	private function getSvg(string $path, string $color, string $fileName) {
+		if(!Filesystem::isValidPath($path)) {
+			return new NotFoundResponse();
+		}
+
 		if (!file_exists($path)) {
 			return new NotFoundResponse();
 		}

From c29480793ce2167729b4569bcf109e99b6687d34 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 6 Sep 2021 10:53:01 +0000
Subject: [PATCH 2/3] Fix codestyle

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 core/Controller/SvgController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/Controller/SvgController.php b/core/Controller/SvgController.php
index 3aa9e73c859..1070047c1cd 100644
--- a/core/Controller/SvgController.php
+++ b/core/Controller/SvgController.php
@@ -119,7 +119,7 @@ class SvgController extends Controller {
 	 * @return DataDisplayResponse|NotFoundResponse
 	 */
 	private function getSvg(string $path, string $color, string $fileName) {
-		if(!Filesystem::isValidPath($path)) {
+		if (!Filesystem::isValidPath($path)) {
 			return new NotFoundResponse();
 		}
 

From d0a3746349821d36f4dced9793b3521c914fea84 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 6 Sep 2021 21:26:27 +0200
Subject: [PATCH 3/3] Resolve absolute path in tests

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 tests/Core/Controller/SvgControllerTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/Core/Controller/SvgControllerTest.php b/tests/Core/Controller/SvgControllerTest.php
index c8d0ea5f503..f44440389ff 100644
--- a/tests/Core/Controller/SvgControllerTest.php
+++ b/tests/Core/Controller/SvgControllerTest.php
@@ -183,7 +183,7 @@ class SvgControllerTest extends TestCase {
 		$this->appManager->expects($this->once())
 			->method('getAppPath')
 			->with($appName)
-			->willReturn(__DIR__ . '/../../../apps/' . $appName);
+			->willReturn(realpath(__DIR__ . '/../../../apps/') . '/' . $appName);
 
 		$response = $this->svgController->getSvgFromApp($appName, $name, $color);