Skip to content

Commit abbc2f4

Browse files
come-ncbackportbot[bot]
come-nc
authored and
backportbot[bot]
committed
fix(dav): Restrict properties allowed object classes
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
1 parent ae98530 commit abbc2f4

File tree

1 file changed

+18
-3
lines changed

1 file changed

+18
-3
lines changed

apps/dav/lib/DAV/CustomPropertiesBackend.php

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -565,6 +565,19 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value
565565
$valueType = self::PROPERTY_TYPE_HREF;
566566
$value = $value->getHref();
567567
} else {
568+
if (!is_object($value)) {
569+
throw new DavException(
570+
"Property \"$name\" has an invalid value of type " . gettype($value),
571+
);
572+
}
573+
if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\')
574+
&& !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\')
575+
&& !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\')
576+
&& !str_starts_with($value::class, 'OCA\\DAV\\')) {
577+
throw new DavException(
578+
"Property \"$name\" has an invalid value of class " . $value::class,
579+
);
580+
}
568581
$valueType = self::PROPERTY_TYPE_OBJECT;
569582
// serialize produces null character
570583
// these can not be properly stored in some databases and need to be replaced
@@ -576,20 +589,22 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value
576589
/**
577590
* @return mixed|Complex|string
578591
*/
579-
private function decodeValueFromDatabase(string $value, int $valueType) {
592+
private function decodeValueFromDatabase(string $value, int $valueType): mixed {
580593
switch ($valueType) {
581594
case self::PROPERTY_TYPE_XML:
582595
return new Complex($value);
583596
case self::PROPERTY_TYPE_HREF:
584597
return new Href($value);
585598
case self::PROPERTY_TYPE_OBJECT:
599+
if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
600+
throw new \LogicException('Found an object class serialized in DB that is not allowed');
601+
}
586602
// some databases can not handel null characters, these are custom encoded during serialization
587603
// this custom encoding needs to be first reversed before unserializing
588604
return unserialize(str_replace('\x00', chr(0), $value));
589-
case self::PROPERTY_TYPE_STRING:
590605
default:
591606
return $value;
592-
}
607+
};
593608
}
594609

595610
private function encodeDefaultCalendarUrl(Href $value): Href {

0 commit comments

Comments
 (0)