upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-20 00:12:30 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 38

fix(dav): Allow arrays (of scalars) in property values

Browse source 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
This commit is contained in:
Côme Chilliet 2025-10-14 17:50:53 +02:00 committed by backportbot[bot]
parent 266c1fcb2d
commit 8d216a7fdf
1 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
apps/dav/lib/DAV/CustomPropertiesBackend.php
View file

@ -550,7 +550,16 @@ class CustomPropertiesBackend implements BackendInterface {
$valueType = self::PROPERTY_TYPE_HREF;
$value = $value->getHref();
} else {
if (!is_object($value)) {
if (is_array($value)) {
// For array only allow scalar values
foreach ($value as $item) {
if (!is_scalar($item)) {
throw new DavException(
"Property \"$name\" has an invalid value of array containing " . gettype($value),
);
}
}
} elseif (!is_object($value)) {
throw new DavException(
"Property \"$name\" has an invalid value of type " . gettype($value),
);
@ -581,6 +590,10 @@ class CustomPropertiesBackend implements BackendInterface {
case self::PROPERTY_TYPE_HREF:
return new Href($value);
case self::PROPERTY_TYPE_OBJECT:
if (preg_match('/^a:/', $value)) {
// Array, unserialize only scalar values
return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]);
}
if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
throw new \LogicException('Found an object class serialized in DB that is not allowed');
}