From 749c9bb223d56969feaf893a3937bb20d2f4acd6 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Thu, 16 Jan 2025 11:10:07 +0100
Subject: [PATCH] fixup! fix(session): Make session encryption more robust

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 lib/private/Session/Internal.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
index d342244576e..6f2d1fce86a 100644
--- a/lib/private/Session/Internal.php
+++ b/lib/private/Session/Internal.php
@@ -16,6 +16,10 @@ use OCP\ILogger;
 use OCP\Session\Exceptions\SessionNotAvailableException;
 use Psr\Log\LoggerInterface;
 use function call_user_func_array;
+use function is_array;
+use function is_object;
+use function json_decode;
+use function json_encode;
 use function microtime;
 
 /**
@@ -50,11 +54,20 @@ class Internal extends Session {
 
 	/**
 	 * @param string $key
-	 * @param integer $value
+	 * @param mixed $value
 	 */
 	public function set(string $key, $value) {
 		$reopened = $this->reopen();
-		$_SESSION[$key] = $value;
+
+		// The previous mechanism for session encryption json-encoded all values,
+		// which implicitly led to objects convert to arrays or objects if they
+		// implement (json) serializable interfaces.
+		$normalized = match (is_array($value) || is_object($value)) {
+			true => json_decode(json_encode($value, JSON_THROW_ON_ERROR), true, 512, JSON_THROW_ON_ERROR),
+			false => $value,
+		};
+
+		$_SESSION[$key] = $normalized;
 		if ($reopened) {
 			$this->close();
 		}