From 2a7b1bae10f9578485805d3733eda21b019236c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= Date: Tue, 28 Nov 2017 01:08:52 +0100 Subject: [PATCH] Reject X-OC-MTime header if given as a string with hexadecimal notation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In PHP 7.X hexadecimal notation support was removed from "is_numeric", so "sanitizeMtime" directly rejected those values; in PHP 5.X, on the other hand, "sanitizeMtime" returned 0 when a string with hexadecimal notation was given (as it was the behaviour of "intval"). To provide a consistent behaviour between PHP versions, and given that it does not make much sense to send X-OC-MTime in hexadecimal notation, now X-OC-MTime is always rejected if given as a string with hexadecimal notation. Signed-off-by: Daniel Calviño Sánchez --- apps/dav/lib/Connector/Sabre/File.php | 6 +++++- apps/dav/tests/unit/Connector/Sabre/FileTest.php | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/apps/dav/lib/Connector/Sabre/File.php b/apps/dav/lib/Connector/Sabre/File.php index 2d20c0958ff..32cc8b7adeb 100644 --- a/apps/dav/lib/Connector/Sabre/File.php +++ b/apps/dav/lib/Connector/Sabre/File.php @@ -590,7 +590,11 @@ class File extends Node implements IFile { } private function sanitizeMtime($mtimeFromRequest) { - if (!is_numeric($mtimeFromRequest)) { + // In PHP 5.X "is_numeric" returns true for strings in hexadecimal + // notation. This is no longer the case in PHP 7.X, so this check + // ensures that strings with hexadecimal notations fail too in PHP 5.X. + $isHexadecimal = is_string($mtimeFromRequest) && preg_match('/^\s*0[xX]/', $mtimeFromRequest); + if ($isHexadecimal || !is_numeric($mtimeFromRequest)) { throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).'); } diff --git a/apps/dav/tests/unit/Connector/Sabre/FileTest.php b/apps/dav/tests/unit/Connector/Sabre/FileTest.php index 2bc65b987b7..1db9b7948e3 100644 --- a/apps/dav/tests/unit/Connector/Sabre/FileTest.php +++ b/apps/dav/tests/unit/Connector/Sabre/FileTest.php @@ -370,7 +370,7 @@ class FileTest extends \Test\TestCase { ], "string castable hex int" => [ 'HTTP_X_OC_MTIME' => "0x45adf", - 'expected result' => 0 + 'expected result' => null ], "string that looks like invalid hex int" => [ 'HTTP_X_OC_MTIME' => "0x123g",