upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-12 18:21:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 22

fix(repair): restrict unserialize() in RemoveBrokenProperties

Browse source 
RemoveBrokenProperties::run() calls unserialize() on the property value column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute.

The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked.

No behavior change for valid or broken rows.  

Signed-off-by: Eli Peter <54954007+elicpeter@users.noreply.github.com>
This commit is contained in:
Eli Peter 2026-04-28 12:20:08 -04:00 committed by Daniel
parent eeecb3e69f
commit bc7f4b5e60
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/private/Repair/RemoveBrokenProperties.php
View file

@ -37,7 +37,7 @@ class RemoveBrokenProperties implements IRepairStep {
$brokenIds = [];
while ($entry = $result->fetch()) {
if (!empty($entry['propertyvalue'])) {
$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']));
$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']), ['allowed_classes' => false]);
if ($object === false) {
$brokenIds[] = $entry['id'];
}