diff options
| author | SebastianKrupinski <krupinskis05@gmail.com> | 2024-07-04 18:56:27 -0400 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-07-10 14:55:52 +0000 |
| commit | 7728bbcf2517da3032b49c3383fbfb8a309374e6 (patch) | |
| tree | db0c3b8d85c537e3541ac07a89d83d106d0d003f /apps/dav/lib | |
| parent | 3b7172b5edbea791e19a23f4f0ff78c12eff11d4 (diff) | |
| download | nextcloud-server-7728bbcf2517da3032b49c3383fbfb8a309374e6.tar.gz nextcloud-server-7728bbcf2517da3032b49c3383fbfb8a309374e6.zip | |
fix(caldav): limit vevent size
Signed-off-by: SebastianKrupinski <krupinskis05@gmail.com>
Diffstat (limited to 'apps/dav/lib')
| -rw-r--r-- | apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php | 40 | ||||
| -rw-r--r-- | apps/dav/lib/Server.php | 2 |
2 files changed, 42 insertions, 0 deletions
diff --git a/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php b/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php new file mode 100644 index 00000000000..680e5a1f02a --- /dev/null +++ b/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php @@ -0,0 +1,40 @@ +<?php + +declare(strict_types=1); + +/* + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\DAV\CalDAV\Validation; + +use OCA\DAV\AppInfo\Application; +use OCP\IAppConfig; +use Sabre\DAV\Exception\Forbidden; +use Sabre\DAV\Server; +use Sabre\DAV\ServerPlugin; +use Sabre\HTTP\RequestInterface; +use Sabre\HTTP\ResponseInterface; + +class CalDavValidatePlugin extends ServerPlugin { + + public function __construct( + private IAppConfig $config + ) { + } + + public function initialize(Server $server): void { + $server->on('beforeMethod:PUT', [$this, 'beforePut']); + } + + public function beforePut(RequestInterface $request, ResponseInterface $response): bool { + // evaluate if card size exceeds defined limit + $eventSizeLimit = $this->config->getValueInt(Application::APP_ID, 'event_size_limit', 10485760); + if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $eventSizeLimit) { + throw new Forbidden("VEvent or VTodo object exceeds $eventSizeLimit bytes"); + } + // all tests passed return true + return true; + } + +} diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php index cd3f21fe9ef..6ab24f55adb 100644 --- a/apps/dav/lib/Server.php +++ b/apps/dav/lib/Server.php @@ -40,6 +40,7 @@ use OCA\DAV\AppInfo\PluginManager; use OCA\DAV\BulkUpload\BulkUploadPlugin; use OCA\DAV\CalDAV\BirthdayService; use OCA\DAV\CalDAV\Security\RateLimitingPlugin; +use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin; use OCA\DAV\CardDAV\HasPhotoPlugin; use OCA\DAV\CardDAV\ImageExportPlugin; use OCA\DAV\CardDAV\MultiGetExportPlugin; @@ -199,6 +200,7 @@ class Server { )); $this->server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class)); + $this->server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class)); } // addressbook plugins |