From ff57dc80d389a26917f5d3e0f55bab0c1a761197 Mon Sep 17 00:00:00 2001
From: Daniel Kesselberg <mail@danielkesselberg.de>
Date: Fri, 22 Nov 2024 16:16:46 +0100
Subject: [PATCH] fix: Re-throwing the TypeError to prevent exposing the
 installation path

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
---
 apps/dav/lib/Connector/Sabre/Server.php | 90 +++++++++++++++++++++++++
 remote.php                              |  3 +-
 2 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/apps/dav/lib/Connector/Sabre/Server.php b/apps/dav/lib/Connector/Sabre/Server.php
index 6cf6fa954c8db..4930ce29cfdf7 100644
--- a/apps/dav/lib/Connector/Sabre/Server.php
+++ b/apps/dav/lib/Connector/Sabre/Server.php
@@ -25,6 +25,9 @@
  */
 namespace OCA\DAV\Connector\Sabre;
 
+use Sabre\DAV\Exception;
+use Sabre\DAV\Version;
+
 /**
  * Class \OCA\DAV\Connector\Sabre\Server
  *
@@ -43,4 +46,91 @@ public function __construct($treeOrNode = null) {
 		self::$exposeVersion = false;
 		$this->enablePropfindDepthInfinity = true;
 	}
+
+	/**
+	 *
+	 * @return void
+	 */
+	public function start() {
+		try {
+			// If nginx (pre-1.2) is used as a proxy server, and SabreDAV as an
+			// origin, we must make sure we send back HTTP/1.0 if this was
+			// requested.
+			// This is mainly because nginx doesn't support Chunked Transfer
+			// Encoding, and this forces the webserver SabreDAV is running on,
+			// to buffer entire responses to calculate Content-Length.
+			$this->httpResponse->setHTTPVersion($this->httpRequest->getHTTPVersion());
+
+			// Setting the base url
+			$this->httpRequest->setBaseUrl($this->getBaseUri());
+			$this->invokeMethod($this->httpRequest, $this->httpResponse);
+		} catch (\Error $e) {
+			/*
+			 * The TypeError includes the file path where the error occurred,
+			 * potentially revealing the installation directory.
+			 *
+			 * By re-throwing the exception, we ensure that the
+			 * default exception handler processes it.
+			 */
+			throw $e;
+		} catch (\Throwable $e) {
+			try {
+				$this->emit('exception', [$e]);
+			} catch (\Exception $ignore) {
+			}
+
+			$DOM = new \DOMDocument('1.0', 'utf-8');
+			$DOM->formatOutput = true;
+
+			$error = $DOM->createElementNS('DAV:', 'd:error');
+			$error->setAttribute('xmlns:s', self::NS_SABREDAV);
+			$DOM->appendChild($error);
+
+			$h = function ($v) {
+				return htmlspecialchars((string)$v, ENT_NOQUOTES, 'UTF-8');
+			};
+
+			if (self::$exposeVersion) {
+				$error->appendChild($DOM->createElement('s:sabredav-version', $h(Version::VERSION)));
+			}
+
+			$error->appendChild($DOM->createElement('s:exception', $h(get_class($e))));
+			$error->appendChild($DOM->createElement('s:message', $h($e->getMessage())));
+			if ($this->debugExceptions) {
+				$error->appendChild($DOM->createElement('s:file', $h($e->getFile())));
+				$error->appendChild($DOM->createElement('s:line', $h($e->getLine())));
+				$error->appendChild($DOM->createElement('s:code', $h($e->getCode())));
+				$error->appendChild($DOM->createElement('s:stacktrace', $h($e->getTraceAsString())));
+			}
+
+			if ($this->debugExceptions) {
+				$previous = $e;
+				while ($previous = $previous->getPrevious()) {
+					$xPrevious = $DOM->createElement('s:previous-exception');
+					$xPrevious->appendChild($DOM->createElement('s:exception', $h(get_class($previous))));
+					$xPrevious->appendChild($DOM->createElement('s:message', $h($previous->getMessage())));
+					$xPrevious->appendChild($DOM->createElement('s:file', $h($previous->getFile())));
+					$xPrevious->appendChild($DOM->createElement('s:line', $h($previous->getLine())));
+					$xPrevious->appendChild($DOM->createElement('s:code', $h($previous->getCode())));
+					$xPrevious->appendChild($DOM->createElement('s:stacktrace', $h($previous->getTraceAsString())));
+					$error->appendChild($xPrevious);
+				}
+			}
+
+			if ($e instanceof Exception) {
+				$httpCode = $e->getHTTPCode();
+				$e->serialize($this, $error);
+				$headers = $e->getHTTPHeaders($this);
+			} else {
+				$httpCode = 500;
+				$headers = [];
+			}
+			$headers['Content-Type'] = 'application/xml; charset=utf-8';
+
+			$this->httpResponse->setStatus($httpCode);
+			$this->httpResponse->setHeaders($headers);
+			$this->httpResponse->setBody($DOM->saveXML());
+			$this->sapi->sendResponse($this->httpResponse);
+		}
+	}
 }
diff --git a/remote.php b/remote.php
index 03575627dc504..87629ef2971b5 100644
--- a/remote.php
+++ b/remote.php
@@ -52,9 +52,10 @@ class RemoteException extends Exception {
 function handleException($e) {
 	try {
 		$request = \OC::$server->getRequest();
+		$isError = $e instanceof Error;
 		// in case the request content type is text/xml - we assume it's a WebDAV request
 		$isXmlContentType = strpos($request->getHeader('Content-Type'), 'text/xml');
-		if ($isXmlContentType === 0) {
+		if ($isError === false && $isXmlContentType === 0) {
 			// fire up a simple server to properly process the exception
 			$server = new Server();
 			if (!($e instanceof RemoteException)) {