Skip to content

[stable34] fix(repair): restrict unserialize() in RemoveBrokenProperties#61203

Merged
AndyScherzinger merged 1 commit into
stable34from
backport/59979/stable34
Jun 17, 2026
Merged

[stable34] fix(repair): restrict unserialize() in RemoveBrokenProperties#61203
AndyScherzinger merged 1 commit into
stable34from
backport/59979/stable34

Conversation

@backportbot

@backportbot backportbot Bot commented Jun 11, 2026

Copy link
Copy Markdown

Backport of PR #59979

@backportbot backportbot Bot requested a review from a team as a code owner June 11, 2026 10:56
@backportbot backportbot Bot requested review from Altahrim, ArtificialOwl, SebastianKrupinski, come-nc, icewind1991 and kesselb and removed request for a team, SebastianKrupinski and kesselb June 11, 2026 10:56
@backportbot backportbot Bot added bug 3. to review Waiting for reviews feedback-requested community pull requests from community labels Jun 11, 2026
@backportbot backportbot Bot added this to the Nextcloud 34.0.1 milestone Jun 11, 2026
@susnux susnux removed the community pull requests from community label Jun 11, 2026
RemoveBrokenProperties::run() calls unserialize() on the property value column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute.

The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked.

No behavior change for valid or broken rows.  

Signed-off-by: Eli Peter <54954007+elicpeter@users.noreply.github.com>
@AndyScherzinger AndyScherzinger force-pushed the backport/59979/stable34 branch from a2881f7 to c919537 Compare June 16, 2026 11:12
@AndyScherzinger AndyScherzinger merged commit 7d4b31c into stable34 Jun 17, 2026
182 of 193 checks passed
@AndyScherzinger AndyScherzinger deleted the backport/59979/stable34 branch June 17, 2026 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

5 participants