mirror of
https://github.com/nextcloud/server.git
synced 2026-06-29 12:24:50 +02:00
Eli Peter
c919537629
RemoveBrokenProperties::run() calls unserialize() on the property value column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute. The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked. No behavior change for valid or broken rows. Signed-off-by: Eli Peter <54954007+elicpeter@users.noreply.github.com>