fix(dav): Allow arrays (of scalars) in property values

Signed-off-by: Côme Chilliet <[email protected]>

Author: come-nc

apps/dav/lib/DAV/CustomPropertiesBackend.php

@@ -426,7 +426,16 @@ private function encodeValueForDatabase($value): array {
 			$valueType = self::PROPERTY_TYPE_XML;
 			$value = $value->getXml();
 		} else {
-			if (!is_object($value)) {
+			if (is_array($value)) {
+				// For array only allow scalar values
+				foreach ($value as $item) {
+					if (!is_scalar($item)) {
+						throw new DavException(
+							"Property \"$name\" has an invalid value of array containing " . gettype($value),
+						);
+					}
+				}
+			} elseif (!is_object($value)) {
 				throw new DavException(
 					"Property \"$name\" has an invalid value of type " . gettype($value),
 				);
@@ -453,6 +462,10 @@ private function decodeValueFromDatabase(string $value, int $valueType): mixed {
 			case self::PROPERTY_TYPE_XML:
 				return new Complex($value);
 			case self::PROPERTY_TYPE_OBJECT:
+				if (preg_match('/^a:/', $value)) {
+					// Array, unserialize only scalar values
+					return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]);
+				}
 				if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
 					throw new \LogicException('Found an object class serialized in DB that is not allowed');
 				}