upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-11 23:04:22 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 35

Merge pull request #55853 from nextcloud/backport/55851/stable30
Some checks are pending
Integration sqlite / changes (push) Waiting to run
Details
Integration sqlite / integration-sqlite (8.1, stable30, --tags ~@large files_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, capabilities_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, collaboration_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, comments_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, dav_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, federation_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, filesdrop_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, ldap_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, openldap_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, openldap_numerical_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, remoteapi_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, setup_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, sharees_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, sharing_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, theming_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite (8.1, stable30, videoverification_features) (push) Blocked by required conditions
Details
Integration sqlite / integration-sqlite-summary (push) Blocked by required conditions
Details
Psalm static code analysis / static-code-analysis (push) Waiting to run
Details
Psalm static code analysis / static-code-analysis-security (push) Waiting to run
Details
Psalm static code analysis / static-code-analysis-ocp (push) Waiting to run
Details

Browse source 
[stable30] fix(dav): Restrict properties allowed object classes
This commit is contained in:
Joas Schilling 2025-10-20 13:22:46 +02:00 committed by GitHub
commit ced4ba4f66
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 38 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
apps/dav/lib/DAV/CustomPropertiesBackend.php
View file

@ -516,6 +516,18 @@ class CustomPropertiesBackend implements BackendInterface {
return $path;
}
private static function checkIsArrayOfScalar(string $name, array $array): void {
foreach ($array as $item) {
if (is_array($item)) {
self::checkIsArrayOfScalar($name, $item);
} elseif ($item !== null && !is_scalar($item)) {
throw new DavException(
"Property \"$name\" has an invalid value of array containing " . gettype($item),
);
}
}
}
/**
* @throws ParseException If parsing a \Sabre\DAV\Xml\Property\Complex value fails
* @throws DavException If the property value is invalid
@ -550,6 +562,23 @@ class CustomPropertiesBackend implements BackendInterface {
$valueType = self::PROPERTY_TYPE_HREF;
$value = $value->getHref();
} else {
if (is_array($value)) {
// For array only allow scalar values
self::checkIsArrayOfScalar($name, $value);
} elseif (!is_object($value)) {
throw new DavException(
"Property \"$name\" has an invalid value of type " . gettype($value),
);
} else {
if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'OCA\\DAV\\')) {
throw new DavException(
"Property \"$name\" has an invalid value of class " . $value::class,
);
}
}
$valueType = self::PROPERTY_TYPE_OBJECT;
// serialize produces null character
// these can not be properly stored in some databases and need to be replaced
@ -561,20 +590,26 @@ class CustomPropertiesBackend implements BackendInterface {
/**
* @return mixed|Complex|string
*/
private function decodeValueFromDatabase(string $value, int $valueType) {
private function decodeValueFromDatabase(string $value, int $valueType): mixed {
switch ($valueType) {
case self::PROPERTY_TYPE_XML:
return new Complex($value);
case self::PROPERTY_TYPE_HREF:
return new Href($value);
case self::PROPERTY_TYPE_OBJECT:
if (preg_match('/^a:/', $value)) {
// Array, unserialize only scalar values
return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]);
}
if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
throw new \LogicException('Found an object class serialized in DB that is not allowed');
}
// some databases can not handel null characters, these are custom encoded during serialization
// this custom encoding needs to be first reversed before unserializing
return unserialize(str_replace('\x00', chr(0), $value));
case self::PROPERTY_TYPE_STRING:
default:
return $value;
}
};
}
private function encodeDefaultCalendarUrl(Href $value): Href {