Merge pull request #55854 from nextcloud/backport/55851/stable29

[stable29] fix(dav): Restrict properties allowed object classes

Author: nickvergessen

apps/dav/lib/DAV/CustomPropertiesBackend.php

@@ -531,6 +531,18 @@ private function formatPath(string $path): string {
 		return $path;
 	}
 
+	private static function checkIsArrayOfScalar(string $name, array $array): void {
+		foreach ($array as $item) {
+			if (is_array($item)) {
+				self::checkIsArrayOfScalar($name, $item);
+			} elseif ($item !== null && !is_scalar($item)) {
+				throw new DavException(
+					"Property \"$name\" has an invalid value of array containing " . gettype($item),
+				);
+			}
+		}
+	}
+
 	/**
 	 * @throws ParseException If parsing a \Sabre\DAV\Xml\Property\Complex value fails
 	 * @throws DavException If the property value is invalid
@@ -565,6 +577,23 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value
 			$valueType = self::PROPERTY_TYPE_HREF;
 			$value = $value->getHref();
 		} else {
+			if (is_array($value)) {
+				// For array only allow scalar values
+				self::checkIsArrayOfScalar($name, $value);
+			} elseif (!is_object($value)) {
+				throw new DavException(
+					"Property \"$name\" has an invalid value of type " . gettype($value),
+				);
+			} else {
+				if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\')
+					&& !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\')
+					&& !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\')
+					&& !str_starts_with($value::class, 'OCA\\DAV\\')) {
+					throw new DavException(
+						"Property \"$name\" has an invalid value of class " . $value::class,
+					);
+				}
+			}
 			$valueType = self::PROPERTY_TYPE_OBJECT;
 			// serialize produces null character
 			// these can not be properly stored in some databases and need to be replaced
@@ -576,20 +605,26 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value
 	/**
 	 * @return mixed|Complex|string
 	 */
-	private function decodeValueFromDatabase(string $value, int $valueType) {
+	private function decodeValueFromDatabase(string $value, int $valueType): mixed {
 		switch ($valueType) {
 			case self::PROPERTY_TYPE_XML:
 				return new Complex($value);
 			case self::PROPERTY_TYPE_HREF:
 				return new Href($value);
 			case self::PROPERTY_TYPE_OBJECT:
+				if (preg_match('/^a:/', $value)) {
+					// Array, unserialize only scalar values
+					return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]);
+				}
+				if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
+					throw new \LogicException('Found an object class serialized in DB that is not allowed');
+				}
 				// some databases can not handel null characters, these are custom encoded during serialization
 				// this custom encoding needs to be first reversed before unserializing
 				return unserialize(str_replace('\x00', chr(0), $value));
-			case self::PROPERTY_TYPE_STRING:
 			default:
 				return $value;
-		}
+		};
 	}
 
 	private function encodeDefaultCalendarUrl(Href $value): Href {