From 3d2f9150374576f9b3b5affb241f5dac195b8127 Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Thu, 27 Jul 2023 20:50:14 +0200
Subject: [PATCH] guard against CalDAV clients wrongly sending a Content-Type
 or Accept header for JSON

---
 api/src/CalDAV.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/api/src/CalDAV.php b/api/src/CalDAV.php
index 3fd36d945a..ff42a90743 100644
--- a/api/src/CalDAV.php
+++ b/api/src/CalDAV.php
@@ -1073,6 +1073,12 @@ class CalDAV extends HTTP_WebDAV_Server
 			$type = in_array($_SERVER['REQUEST_METHOD'], ['PUT', 'POST', 'PATCH', 'PROPPATCH']) ?
 				$_SERVER['HTTP_CONTENT_TYPE'] : $_SERVER['HTTP_ACCEPT'];
 		}
+		// make sure the client is not just a CalDAV client wrongly sending a Content-Type or Accept header for JSON
+		if (in_array($_SERVER['REQUEST_METHOD'], ['REPORT', 'PROPFIND', 'PROPPATCH']) ||    // no REST, but CalDAV methods
+			isset($_SERVER['HTTP_CONTENT_TYPE']) && pref_match('#(application|text)/xml#', $_SERVER['HTTP_CONTENT_TYPE']))
+		{
+			return false;
+		}
 		return preg_match('#application/(([^+ ;]+)\+)?json#', $type, $matches) ?
 			(empty($matches[1]) ? true : $matches[2]) : false;
 	}