upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-19 08:25:56 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

fix(dav): Restrict properties allowed object classes

Browse source 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
This commit is contained in:
Côme Chilliet 2025-10-14 10:50:02 +02:00 committed by backportbot[bot]
parent 5e005e6bee
commit 2d6fcb544e
1 changed files with 18 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
apps/dav/lib/DAV/CustomPropertiesBackend.php
View file

@ -514,6 +514,19 @@ class CustomPropertiesBackend implements BackendInterface {
$valueType = self::PROPERTY_TYPE_HREF;
$value = $value->getHref();
} else {
if (!is_object($value)) {
throw new DavException(
"Property \"$name\" has an invalid value of type " . gettype($value),
);
}
if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'OCA\\DAV\\')) {
throw new DavException(
"Property \"$name\" has an invalid value of class " . $value::class,
);
}
$valueType = self::PROPERTY_TYPE_OBJECT;
// serialize produces null character
// these can not be properly stored in some databases and need to be replaced
@ -525,20 +538,22 @@ class CustomPropertiesBackend implements BackendInterface {
/**
* @return mixed|Complex|string
*/
private function decodeValueFromDatabase(string $value, int $valueType) {
private function decodeValueFromDatabase(string $value, int $valueType): mixed {
switch ($valueType) {
case self::PROPERTY_TYPE_XML:
return new Complex($value);
case self::PROPERTY_TYPE_HREF:
return new Href($value);
case self::PROPERTY_TYPE_OBJECT:
if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
throw new \LogicException('Found an object class serialized in DB that is not allowed');
}
// some databases can not handel null characters, these are custom encoded during serialization
// this custom encoding needs to be first reversed before unserializing
return unserialize(str_replace('\x00', chr(0), $value));
case self::PROPERTY_TYPE_STRING:
default:
return $value;
}
};
}
private function encodeDefaultCalendarUrl(Href $value): Href {