extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-21 23:43:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

guard against CalDAV clients wrongly sending a Content-Type or Accept header for JSON

Browse Source
This commit is contained in:
ralf 2023-07-27 20:50:14 +02:00
parent 46795ec108
commit 3d2f915037
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/src/CalDAV.php
View File

@ -1073,6 +1073,12 @@ class CalDAV extends HTTP_WebDAV_Server
$type = in_array($_SERVER['REQUEST_METHOD'], ['PUT', 'POST', 'PATCH', 'PROPPATCH']) ?
$_SERVER['HTTP_CONTENT_TYPE'] : $_SERVER['HTTP_ACCEPT'];
}
// make sure the client is not just a CalDAV client wrongly sending a Content-Type or Accept header for JSON
if (in_array($_SERVER['REQUEST_METHOD'], ['REPORT', 'PROPFIND', 'PROPPATCH']) || // no REST, but CalDAV methods
isset($_SERVER['HTTP_CONTENT_TYPE']) && pref_match('#(application|text)/xml#', $_SERVER['HTTP_CONTENT_TYPE']))
{
return false;
}
return preg_match('#application/(([^+ ;]+)\+)?json#', $type, $matches) ?
(empty($matches[1]) ? true : $matches[2]) : false;
}