security: enforce APCu availability, fix fixed-window rate limiting, tighten URL validation

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

php/public/clean-history.js

@@ -12,14 +12,9 @@
 // recorded history entry.
 const rawTarget = document.currentScript.dataset.target;
 
-// Validate that the redirect target is a safe relative path (starts with '.' or '/').
-// This guards against hypothetical injection (e.g. 'javascript:…') even though the
-// value is server-set.
-const safePattern = /^[./]/;
-const unsafePattern = /^\/\//;
-const target = (typeof rawTarget === 'string' && safePattern.test(rawTarget) && !unsafePattern.test(rawTarget))
-    ? rawTarget
-    : '/';
+// Only accept the exact relative path we set server-side to prevent any
+// potential open-redirect via a manipulated data-target value.
+const target = rawTarget === '../../' ? rawTarget : '/';
 
 history.replaceState(null, '', location.pathname);
 window.location.replace(target);