Prevent enumeration of absolute path using Browser Plugin

Previously URIs like `?sabreAction=asset&assetName=../../../../../../../../../../../Users/lreschke/Programming/core/3rdparty/sabre/dav/lib/DAV/Browser/assets/sabredav.css` could have been used as  `realpath` does resolve them properly.

As discussed in owncloud/core@1edd6d7#commitcomment-9804349

lib/DAV/Browser/Plugin.php

@@ -392,13 +392,18 @@ protected function getAssetUrl($assetName) {
      *
      * @param string $assetName
      * @return string
+     * @throws DAV\Exception\NotFound
      */
     protected function getLocalAssetPath($assetName) {
 
         $assetDir = __DIR__ . '/assets/';
         $path = $assetDir . $assetName;
 
         // Making sure people aren't trying to escape from the base path.
+        $path = str_replace('\\', '/', $path);
+        if (strpos($path, '/../') !== FALSE || strrchr($path, '/') === '/..') {
+            throw new DAV\Exception\NotFound('Path does not exist, or escaping from the base path was detected');
+        }
         if (strpos(realpath($path), realpath($assetDir)) === 0 && file_exists($path)) {
             return $path;
         }