Merge pull request #38308 from nextcloud/fix/check-for-php-auth-server-variables

fix(carddav): Check if SERVER variables are set before accessing them

1 files changed, 4 insertions, 5 deletions

diff --git a/apps/dav/lib/CardDAV/SystemAddressbook.php b/apps/dav/lib/CardDAV/SystemAddressbook.php
index 41e473ede63..c936ad2344f 100644
--- a/apps/dav/lib/CardDAV/SystemAddressbook.php
+++ b/apps/dav/lib/CardDAV/SystemAddressbook.php
@@ -35,14 +35,12 @@ use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IL10N;
 use OCP\IRequest;
-use OCP\IUser;
 use OCP\IUserSession;
 use Sabre\CardDAV\Backend\SyncSupport;
 use Sabre\CardDAV\Backend\BackendInterface;
 use Sabre\CardDAV\Card;
 use Sabre\DAV\Exception\Forbidden;
 use Sabre\DAV\Exception\NotFound;
-use Sabre\DAV\ICollection;
 use Sabre\VObject\Component\VCard;
 use Sabre\VObject\Reader;
 use function array_filter;
@@ -234,12 +232,13 @@ class SystemAddressbook extends AddressBook {
 		}
 
 		/** @psalm-suppress NoInterfaceProperties */
-		if ($this->request->server['PHP_AUTH_USER'] !== 'system') {
+		$server = $this->request->server;
+		if (!isset($server['PHP_AUTH_USER']) || $server['PHP_AUTH_USER'] !== 'system') {
 			return false;
 		}
 
 		/** @psalm-suppress NoInterfaceProperties */
-		$sharedSecret = $this->request->server['PHP_AUTH_PW'];
+		$sharedSecret = $server['PHP_AUTH_PW'] ?? null;
 		if ($sharedSecret === null) {
 			return false;
 		}
@@ -299,7 +298,7 @@ class SystemAddressbook extends AddressBook {
 	}
 
 	public function getACL() {
-		return array_filter(parent::getACL(), function($acl) {
+		return array_filter(parent::getACL(), function ($acl) {
 			if (in_array($acl['privilege'], ['{DAV:}write', '{DAV:}all'], true)) {
 				return false;
 			}