Reject X-OC-MTime header if given as a string with hexadecimal notation

In PHP 7.X hexadecimal notation support was removed from "is_numeric",
so "sanitizeMtime" directly rejected those values; in PHP 5.X, on the
other hand, "sanitizeMtime" returned 0 when a string with hexadecimal
notation was given (as it was the behaviour of "intval"). To provide a
consistent behaviour between PHP versions, and given that it does not
make much sense to send X-OC-MTime in hexadecimal notation, now
X-OC-MTime is always rejected if given as a string with hexadecimal
notation.

Signed-off-by: Daniel Calviño Sánchez <[email protected]>

apps/dav/lib/Connector/Sabre/File.php

@@ -590,7 +590,11 @@ private function convertToSabreException(\Exception $e) {
 	}
 
 	private function sanitizeMtime($mtimeFromRequest) {
-		if (!is_numeric($mtimeFromRequest)) {
+		// In PHP 5.X "is_numeric" returns true for strings in hexadecimal
+		// notation. This is no longer the case in PHP 7.X, so this check
+		// ensures that strings with hexadecimal notations fail too in PHP 5.X.
+		$isHexadecimal = is_string($mtimeFromRequest) && preg_match('/^\s*0[xX]/', $mtimeFromRequest);
+		if ($isHexadecimal || !is_numeric($mtimeFromRequest)) {
 			throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).');
 		}
 

apps/dav/tests/unit/Connector/Sabre/FileTest.php

@@ -370,7 +370,7 @@ public function legalMtimeProvider() {
 			],
 			"string castable hex int" => [
 					'HTTP_X_OC_MTIME' => "0x45adf",
-					'expected result' => 0
+					'expected result' => null
 			],
 			"string that looks like invalid hex int" => [
 					'HTTP_X_OC_MTIME' => "0x123g",