From 0283fbccb2fc9d2719d4f91b17373b72868887fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Tue, 14 Oct 2025 10:50:02 +0200 Subject: [PATCH 1/3] fix(dav): Restrict properties allowed object classes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/dav/lib/DAV/CustomPropertiesBackend.php | 34 ++++++++++++++++---- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php index dc207d178803f..b8dd119e5d0e9 100644 --- a/apps/dav/lib/DAV/CustomPropertiesBackend.php +++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php @@ -600,6 +600,19 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value $valueType = self::PROPERTY_TYPE_HREF; $value = $value->getHref(); } else { + if (!is_object($value)) { + throw new DavException( + "Property \"$name\" has an invalid value of type " . gettype($value), + ); + } + if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'OCA\\DAV\\')) { + throw new DavException( + "Property \"$name\" has an invalid value of class " . $value::class, + ); + } $valueType = self::PROPERTY_TYPE_OBJECT; // serialize produces null character // these can not be properly stored in some databases and need to be replaced @@ -612,13 +625,20 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value * @return mixed|Complex|string */ private function decodeValueFromDatabase(string $value, int $valueType): mixed { - return match ($valueType) { - self::PROPERTY_TYPE_XML => new Complex($value), - self::PROPERTY_TYPE_HREF => new Href($value), - // some databases can not handel null characters, these are custom encoded during serialization - // this custom encoding needs to be first reversed before unserializing - self::PROPERTY_TYPE_OBJECT => unserialize(str_replace('\x00', chr(0), $value)), - default => $value, + switch ($valueType) { + case self::PROPERTY_TYPE_XML: + return new Complex($value); + case self::PROPERTY_TYPE_HREF: + return new Href($value); + case self::PROPERTY_TYPE_OBJECT: + if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) { + throw new \LogicException('Found an object class serialized in DB that is not allowed'); + } + // some databases can not handel null characters, these are custom encoded during serialization + // this custom encoding needs to be first reversed before unserializing + return unserialize(str_replace('\x00', chr(0), $value)); + default: + return $value; }; } From 1a0b220c6b5027168b5ad18369339cc743ee38b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Tue, 14 Oct 2025 17:50:53 +0200 Subject: [PATCH 2/3] fix(dav): Allow arrays (of scalars) in property values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/dav/lib/DAV/CustomPropertiesBackend.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php index b8dd119e5d0e9..c4ccabdd2dfe3 100644 --- a/apps/dav/lib/DAV/CustomPropertiesBackend.php +++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php @@ -600,7 +600,16 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value $valueType = self::PROPERTY_TYPE_HREF; $value = $value->getHref(); } else { - if (!is_object($value)) { + if (is_array($value)) { + // For array only allow scalar values + foreach ($value as $item) { + if (!is_scalar($item)) { + throw new DavException( + "Property \"$name\" has an invalid value of array containing " . gettype($value), + ); + } + } + } elseif (!is_object($value)) { throw new DavException( "Property \"$name\" has an invalid value of type " . gettype($value), ); @@ -631,6 +640,10 @@ private function decodeValueFromDatabase(string $value, int $valueType): mixed { case self::PROPERTY_TYPE_HREF: return new Href($value); case self::PROPERTY_TYPE_OBJECT: + if (preg_match('/^a:/', $value)) { + // Array, unserialize only scalar values + return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]); + } if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) { throw new \LogicException('Found an object class serialized in DB that is not allowed'); } From 28c8ef13062cba317ffa6c257713b0d83702f607 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 16 Oct 2025 09:32:23 +0200 Subject: [PATCH 3/3] fix(dav): Allow array of array of scalars, and fix error message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/dav/lib/DAV/CustomPropertiesBackend.php | 37 ++++++++++++-------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php index c4ccabdd2dfe3..a0e99233e1164 100644 --- a/apps/dav/lib/DAV/CustomPropertiesBackend.php +++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php @@ -566,6 +566,18 @@ private function formatPath(string $path): string { return $path; } + private static function checkIsArrayOfScalar(string $name, array $array): void { + foreach ($array as $item) { + if (is_array($item)) { + self::checkIsArrayOfScalar($name, $item); + } elseif ($item !== null && !is_scalar($item)) { + throw new DavException( + "Property \"$name\" has an invalid value of array containing " . gettype($item), + ); + } + } + } + /** * @throws ParseException If parsing a \Sabre\DAV\Xml\Property\Complex value fails * @throws DavException If the property value is invalid @@ -602,25 +614,20 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value } else { if (is_array($value)) { // For array only allow scalar values - foreach ($value as $item) { - if (!is_scalar($item)) { - throw new DavException( - "Property \"$name\" has an invalid value of array containing " . gettype($value), - ); - } - } + self::checkIsArrayOfScalar($name, $value); } elseif (!is_object($value)) { throw new DavException( "Property \"$name\" has an invalid value of type " . gettype($value), ); - } - if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\') - && !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\') - && !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\') - && !str_starts_with($value::class, 'OCA\\DAV\\')) { - throw new DavException( - "Property \"$name\" has an invalid value of class " . $value::class, - ); + } else { + if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'OCA\\DAV\\')) { + throw new DavException( + "Property \"$name\" has an invalid value of class " . $value::class, + ); + } } $valueType = self::PROPERTY_TYPE_OBJECT; // serialize produces null character