mirror of https://github.com/nextcloud/server
Reject X-OC-MTime header if given as a string with hexadecimal notation
In PHP 7.X hexadecimal notation support was removed from "is_numeric", so "sanitizeMtime" directly rejected those values; in PHP 5.X, on the other hand, "sanitizeMtime" returned 0 when a string with hexadecimal notation was given (as it was the behaviour of "intval"). To provide a consistent behaviour between PHP versions, and given that it does not make much sense to send X-OC-MTime in hexadecimal notation, now X-OC-MTime is always rejected if given as a string with hexadecimal notation. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This commit is contained in:
parent
ffe034abb0
commit
2a7b1bae10
|
@ -590,7 +590,11 @@ class File extends Node implements IFile {
|
|||
}
|
||||
|
||||
private function sanitizeMtime($mtimeFromRequest) {
|
||||
if (!is_numeric($mtimeFromRequest)) {
|
||||
// In PHP 5.X "is_numeric" returns true for strings in hexadecimal
|
||||
// notation. This is no longer the case in PHP 7.X, so this check
|
||||
// ensures that strings with hexadecimal notations fail too in PHP 5.X.
|
||||
$isHexadecimal = is_string($mtimeFromRequest) && preg_match('/^\s*0[xX]/', $mtimeFromRequest);
|
||||
if ($isHexadecimal || !is_numeric($mtimeFromRequest)) {
|
||||
throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).');
|
||||
}
|
||||
|
||||
|
|
|
@ -370,7 +370,7 @@ class FileTest extends \Test\TestCase {
|
|||
],
|
||||
"string castable hex int" => [
|
||||
'HTTP_X_OC_MTIME' => "0x45adf",
|
||||
'expected result' => 0
|
||||
'expected result' => null
|
||||
],
|
||||
"string that looks like invalid hex int" => [
|
||||
'HTTP_X_OC_MTIME' => "0x123g",
|
||||
|
|
Loading…
Reference in New Issue