fix(carddav): Check if SERVER variables are set before accessing them

Signed-off-by: Anna Larch <anna@nextcloud.com>

diff --git a/apps/dav/lib/CardDAV/SystemAddressbook.php b/apps/dav/lib/CardDAV/SystemAddressbook.php
index 41e473ede6367f19e8380bc92656495ffd7ab241..c936ad2344ff746a24d8ca9eff9ad7a408caf1fe 100644 (file)
--- a/apps/dav/lib/CardDAV/SystemAddressbook.php
+++ b/apps/dav/lib/CardDAV/SystemAddressbook.php
@@ -35,14 +35,12 @@ use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IL10N;
 use OCP\IRequest;
-use OCP\IUser;
 use OCP\IUserSession;
 use Sabre\CardDAV\Backend\SyncSupport;
 use Sabre\CardDAV\Backend\BackendInterface;
 use Sabre\CardDAV\Card;
 use Sabre\DAV\Exception\Forbidden;
 use Sabre\DAV\Exception\NotFound;
-use Sabre\DAV\ICollection;
 use Sabre\VObject\Component\VCard;
 use Sabre\VObject\Reader;
 use function array_filter;
@@ -234,12 +232,13 @@ class SystemAddressbook extends AddressBook {
                }
 
                /** @psalm-suppress NoInterfaceProperties */
-               if ($this->request->server['PHP_AUTH_USER'] !== 'system') {
+               $server = $this->request->server;
+               if (!isset($server['PHP_AUTH_USER']) || $server['PHP_AUTH_USER'] !== 'system') {
                        return false;
                }
 
                /** @psalm-suppress NoInterfaceProperties */
-               $sharedSecret = $this->request->server['PHP_AUTH_PW'];
+               $sharedSecret = $server['PHP_AUTH_PW'] ?? null;
                if ($sharedSecret === null) {
                        return false;
                }
@@ -299,7 +298,7 @@ class SystemAddressbook extends AddressBook {
        }
 
        public function getACL() {
-               return array_filter(parent::getACL(), function($acl) {
+               return array_filter(parent::getACL(), function ($acl) {
                        if (in_array($acl['privilege'], ['{DAV:}write', '{DAV:}all'], true)) {
                                return false;
                        }