Properly validate hex colors

Signed-off-by: Julius Härtl <[email protected]>
nextcloud · juliusknorr · Sep 15, 2020 · Feb 16, 2020 · Feb 16, 2020 · Mar 7, 2020
commit c2a4f946b419ea4fc1d2f361a652d59fcec6734f
diff --git a/lib/DAV/Calendar.php b/lib/DAV/Calendar.php
@@ -30,6 +30,7 @@
 use Sabre\DAV\Exception\Forbidden;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\PropPatch;
+use Sabre\VObject\InvalidDataException;
 
 class Calendar extends ExternalCalendar {
 
@@ -164,7 +165,11 @@ public function propPatch(PropPatch $propPatch) {
 						$this->board->setTitle($value);
 						break;
 					case '{http://apple.com/ns/ical/}calendar-color':
-						$this->board->setColor(substr($value, 1));
+						$color = substr($value, 1, 6);
+						if (!preg_match('/[a-f0-9]{6}/i', $color)) {
+							throw new InvalidDataException('No valid color provided');
+						}
+						$this->board->setColor($color);
 						break;
 				}
 			}