diff options
| author | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2017-11-28 01:08:52 +0100 |
|---|---|---|
| committer | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2017-11-28 01:08:52 +0100 |
| commit | 2a7b1bae10f9578485805d3733eda21b019236c1 (patch) | |
| tree | 289adce61e231af0be91a2cbd28d22ced607c4c5 /apps/dav | |
| parent | ffe034abb09b5f73ec50f15c7deb92357765377f (diff) | |
| download | nextcloud-server-2a7b1bae10f9578485805d3733eda21b019236c1.tar.gz nextcloud-server-2a7b1bae10f9578485805d3733eda21b019236c1.zip | |
Reject X-OC-MTime header if given as a string with hexadecimal notation
In PHP 7.X hexadecimal notation support was removed from "is_numeric",
so "sanitizeMtime" directly rejected those values; in PHP 5.X, on the
other hand, "sanitizeMtime" returned 0 when a string with hexadecimal
notation was given (as it was the behaviour of "intval"). To provide a
consistent behaviour between PHP versions, and given that it does not
make much sense to send X-OC-MTime in hexadecimal notation, now
X-OC-MTime is always rejected if given as a string with hexadecimal
notation.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Diffstat (limited to 'apps/dav')
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/File.php | 6 | ||||
| -rw-r--r-- | apps/dav/tests/unit/Connector/Sabre/FileTest.php | 2 |
2 files changed, 6 insertions, 2 deletions
diff --git a/apps/dav/lib/Connector/Sabre/File.php b/apps/dav/lib/Connector/Sabre/File.php index 2d20c0958ff..32cc8b7adeb 100644 --- a/apps/dav/lib/Connector/Sabre/File.php +++ b/apps/dav/lib/Connector/Sabre/File.php @@ -590,7 +590,11 @@ class File extends Node implements IFile { } private function sanitizeMtime($mtimeFromRequest) { - if (!is_numeric($mtimeFromRequest)) { + // In PHP 5.X "is_numeric" returns true for strings in hexadecimal + // notation. This is no longer the case in PHP 7.X, so this check + // ensures that strings with hexadecimal notations fail too in PHP 5.X. + $isHexadecimal = is_string($mtimeFromRequest) && preg_match('/^\s*0[xX]/', $mtimeFromRequest); + if ($isHexadecimal || !is_numeric($mtimeFromRequest)) { throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).'); } diff --git a/apps/dav/tests/unit/Connector/Sabre/FileTest.php b/apps/dav/tests/unit/Connector/Sabre/FileTest.php index 2bc65b987b7..1db9b7948e3 100644 --- a/apps/dav/tests/unit/Connector/Sabre/FileTest.php +++ b/apps/dav/tests/unit/Connector/Sabre/FileTest.php @@ -370,7 +370,7 @@ class FileTest extends \Test\TestCase { ], "string castable hex int" => [ 'HTTP_X_OC_MTIME' => "0x45adf", - 'expected result' => 0 + 'expected result' => null ], "string that looks like invalid hex int" => [ 'HTTP_X_OC_MTIME' => "0x123g", |