Bug: TypeError in CorePlugin::httpGet() when HEAD request includes Range header #1624
Description
When a browser sends a HEAD request with a Range header to a file resource,
CorePlugin::httpGet() crashes with a TypeError on line 179.
Root Cause
For HEAD requests, $body is set to an empty string ('') on line 110:
if ('HEAD' === $request->getHeader('X-Sabre-Original-Method')) {
$body = '';But the range handling code on line 179 calls stream_get_meta_data($body)
without checking if $body is actually a resource:
if (!stream_get_meta_data($body)['seekable'] || -1 === fseek($body, $start, SEEK_SET)) {PHP 8.4 throws a TypeError: stream_get_meta_data(): Argument #1 ($stream) must be of type resource, string given
Environment
- sabre/dav 4.7.0
- PHP 8.4.16
- Nextcloud 32.0.5 (which bundles sabre/dav)
- Chrome browser on Linux (sends Range header on HEAD requests for large files)
Steps to Reproduce
- Upload a large file (>1GB) to a WebDAV server
- Use a browser that sends HEAD request with Range header before download
- Observe TypeError in logs
Proposed Fix from arkDisk
Add an is_resource() check before calling stream_get_meta_data():
if (!is_resource($body) || !stream_get_meta_data($body)['seekable'] || -1 === fseek($body, $start, SEEK_SET)) {This safely handles the case where $body is a string (HEAD requests)
by falling through to the manual seek path, which will also be skipped
since there's no actual body to process.