diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php index be7345f25dfbc..a353de05638f8 100644 --- a/apps/dav/lib/DAV/CustomPropertiesBackend.php +++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php @@ -571,6 +571,18 @@ private function formatPath(string $path): string { return $path; } + private static function checkIsArrayOfScalar(string $name, array $array): void { + foreach ($array as $item) { + if (is_array($item)) { + self::checkIsArrayOfScalar($name, $item); + } elseif ($item !== null && !is_scalar($item)) { + throw new DavException( + "Property \"$name\" has an invalid value of array containing " . gettype($item), + ); + } + } + } + /** * @throws ParseException If parsing a \Sabre\DAV\Xml\Property\Complex value fails * @throws DavException If the property value is invalid @@ -605,6 +617,23 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value $valueType = self::PROPERTY_TYPE_HREF; $value = $value->getHref(); } else { + if (is_array($value)) { + // For array only allow scalar values + self::checkIsArrayOfScalar($name, $value); + } elseif (!is_object($value)) { + throw new DavException( + "Property \"$name\" has an invalid value of type " . gettype($value), + ); + } else { + if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\') + && !str_starts_with($value::class, 'OCA\\DAV\\')) { + throw new DavException( + "Property \"$name\" has an invalid value of class " . $value::class, + ); + } + } $valueType = self::PROPERTY_TYPE_OBJECT; // serialize produces null character // these can not be properly stored in some databases and need to be replaced @@ -616,20 +645,26 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value /** * @return mixed|Complex|string */ - private function decodeValueFromDatabase(string $value, int $valueType) { + private function decodeValueFromDatabase(string $value, int $valueType): mixed { switch ($valueType) { case self::PROPERTY_TYPE_XML: return new Complex($value); case self::PROPERTY_TYPE_HREF: return new Href($value); case self::PROPERTY_TYPE_OBJECT: + if (preg_match('/^a:/', $value)) { + // Array, unserialize only scalar values + return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]); + } + if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) { + throw new \LogicException('Found an object class serialized in DB that is not allowed'); + } // some databases can not handel null characters, these are custom encoded during serialization // this custom encoding needs to be first reversed before unserializing return unserialize(str_replace('\x00', chr(0), $value)); - case self::PROPERTY_TYPE_STRING: default: return $value; - } + }; } private function encodeDefaultCalendarUrl(Href $value): Href {