summaryrefslogtreecommitdiffstats
path: root/apps/dav/lib/Connector/Sabre/Node.php
diff options
context:
space:
mode:
Diffstat (limited to 'apps/dav/lib/Connector/Sabre/Node.php')
-rw-r--r--apps/dav/lib/Connector/Sabre/Node.php14
1 files changed, 14 insertions, 0 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Node.php b/apps/dav/lib/Connector/Sabre/Node.php
index 979336d86fe..b8a8209129c 100644
--- a/apps/dav/lib/Connector/Sabre/Node.php
+++ b/apps/dav/lib/Connector/Sabre/Node.php
@@ -165,6 +165,7 @@ abstract class Node implements \Sabre\DAV\INode {
* Even if the modification time is set to a custom value the access time is set to now.
*/
public function touch($mtime) {
+ $mtime = $this->sanitizeMtime($mtime);
$this->fileView->touch($this->path, $mtime);
$this->refreshInfo();
}
@@ -358,4 +359,17 @@ abstract class Node implements \Sabre\DAV\INode {
public function getFileInfo() {
return $this->info;
}
+
+ protected function sanitizeMtime($mtimeFromRequest) {
+ // In PHP 5.X "is_numeric" returns true for strings in hexadecimal
+ // notation. This is no longer the case in PHP 7.X, so this check
+ // ensures that strings with hexadecimal notations fail too in PHP 5.X.
+ $isHexadecimal = is_string($mtimeFromRequest) && preg_match('/^\s*0[xX]/', $mtimeFromRequest);
+ if ($isHexadecimal || !is_numeric($mtimeFromRequest)) {
+ throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).');
+ }
+
+ return intval($mtimeFromRequest);
+ }
+
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-28 18:22:31 +0000