Skip to content

[stable28] fix(dav): Restrict properties allowed object classes #55855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nickvergessen merged 4 commits into from
Oct 20, 2025
Merged

[stable28] fix(dav): Restrict properties allowed object classes #55855

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
50ae7e4
fix(dav): Restrict properties allowed object classes
come-nc Oct 14, 2025
5aaef3a
fix(dav): Allow arrays (of scalars) in property values
come-nc Oct 14, 2025
5452b73
fix(dav): Allow array of array of scalars, and fix error message
come-nc Oct 16, 2025
d00917d
fix(dav): Adapt changes to stable28 code
come-nc Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 38 additions & 3 deletions apps/dav/lib/DAV/CustomPropertiesBackend.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,18 @@
return $path;
}

private static function checkIsArrayOfScalar(string $name, array $array): void {
foreach ($array as $item) {
if (is_array($item)) {
self::checkIsArrayOfScalar($name, $item);
} elseif ($item !== null && !is_scalar($item)) {
throw new DavException(

Check failure on line 443 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedClass 

apps/dav/lib/DAV/CustomPropertiesBackend.php:443:15: UndefinedClass: Class, interface or enum named OCA\DAV\DAV\DavException does not exist (see https://psalm.dev/019)

Check failure on line 443 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

InvalidThrow 

apps/dav/lib/DAV/CustomPropertiesBackend.php:443:5: InvalidThrow: Cannot throw OCA\DAV\DAV\DavException as it does not extend Exception or implement Throwable (see https://psalm.dev/133)
"Property \"$name\" has an invalid value of array containing " . gettype($item),
);
}
}
}

/**
* @param mixed $value
* @return array
Expand All @@ -443,9 +455,26 @@
if (is_scalar($value)) {
$valueType = self::PROPERTY_TYPE_STRING;
} elseif ($value instanceof Complex) {
$valueType = self::PROPERTY_TYPE_XML;
$value = $value->getXml();
} else {
if (is_array($value)) {
// For array only allow scalar values
self::checkIsArrayOfScalar($name, $value);

Check failure on line 463 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedVariable 

apps/dav/lib/DAV/CustomPropertiesBackend.php:463:32: UndefinedVariable: Cannot find referenced variable $name (see https://psalm.dev/024)
} elseif (!is_object($value)) {
throw new DavException(

Check failure on line 465 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedClass 

apps/dav/lib/DAV/CustomPropertiesBackend.php:465:15: UndefinedClass: Class, interface or enum named OCA\DAV\DAV\DavException does not exist (see https://psalm.dev/019)
"Property \"$name\" has an invalid value of type " . gettype($value),

Check failure on line 466 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedVariable 

apps/dav/lib/DAV/CustomPropertiesBackend.php:466:18: UndefinedVariable: Cannot find referenced variable $name (see https://psalm.dev/024)
);
} else {
if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\')
&& !str_starts_with($value::class, 'OCA\\DAV\\')) {
throw new DavException(

Check failure on line 473 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedClass 

apps/dav/lib/DAV/CustomPropertiesBackend.php:473:16: UndefinedClass: Class, interface or enum named OCA\DAV\DAV\DavException does not exist (see https://psalm.dev/019)
"Property \"$name\" has an invalid value of class " . $value::class,

Check failure on line 474 in apps/dav/lib/DAV/CustomPropertiesBackend.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedVariable 

apps/dav/lib/DAV/CustomPropertiesBackend.php:474:19: UndefinedVariable: Cannot find referenced variable $name (see https://psalm.dev/024)
);
}
}
$valueType = self::PROPERTY_TYPE_OBJECT;
// serialize produces null character
// these can not be properly stored in some databases and need to be replaced
Expand All @@ -457,18 +486,24 @@
/**
* @return mixed|Complex|string
*/
private function decodeValueFromDatabase(string $value, int $valueType) {
private function decodeValueFromDatabase(string $value, int $valueType): mixed {
switch ($valueType) {
case self::PROPERTY_TYPE_XML:
return new Complex($value);
case self::PROPERTY_TYPE_OBJECT:
if (preg_match('/^a:/', $value)) {
// Array, unserialize only scalar values
return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]);
}
if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
throw new \LogicException('Found an object class serialized in DB that is not allowed');
}
// some databases can not handel null characters, these are custom encoded during serialization
// this custom encoding needs to be first reversed before unserializing
return unserialize(str_replace('\x00', chr(0), $value));
case self::PROPERTY_TYPE_STRING:
default:
return $value;
}
};
}

private function createDeleteQuery(): IQueryBuilder {
Expand Down
Loading