From ecb55cc8d468792913ca22dae048fc18ab00d904 Mon Sep 17 00:00:00 2001 From: Carl Schwan Date: Thu, 16 Apr 2026 01:06:29 +0200 Subject: [PATCH 1/2] fix: Harden libxml_set_external_entity_loader Make sure it is called even if $func() throws Signed-off-by: Carl Schwan --- lib/Helper/TXmlHelper.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/Helper/TXmlHelper.php b/lib/Helper/TXmlHelper.php index 609067631..9bcd9d987 100644 --- a/lib/Helper/TXmlHelper.php +++ b/lib/Helper/TXmlHelper.php @@ -14,8 +14,11 @@ trait TXmlHelper { */ public function callWithXmlEntityLoader(callable $func): mixed { libxml_set_external_entity_loader(static fn ($public, $system) => $system); - $result = $func(); - libxml_set_external_entity_loader(static fn () => null); + try { + $result = $func(); + } finally { + libxml_set_external_entity_loader(static fn () => null); + } return $result; } } From 5bda8202183d22774bf9d208ec7c8061102465d5 Mon Sep 17 00:00:00 2001 From: Carl Schwan Date: Thu, 16 Apr 2026 01:08:23 +0200 Subject: [PATCH 2/2] fix: Reject paths containing directory traversal sequences Should not happen as the idp is trusted but it never hurts to explicitely check for them. Signed-off-by: Carl Schwan --- lib/UserBackend.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/UserBackend.php b/lib/UserBackend.php index 3ee34fc41..24bc18a58 100644 --- a/lib/UserBackend.php +++ b/lib/UserBackend.php @@ -101,6 +101,18 @@ public function createUserIfNotExists(string $uid, array $attributes = []): void $this->serverRoot . '/data') . '/' . $home; } + // Reject paths containing directory traversal sequences + $normalizedHome = str_replace('\\', '/', $home); + if (str_contains($normalizedHome, '/../') || str_ends_with($normalizedHome, '/..')) { + $this->logger->warning( + 'Rejecting home path from SAML attribute containing directory traversal sequence', + ['app' => 'user_saml', 'home' => $home] + ); + $home = ''; + } + } + + if ($home !== '') { $values['home'] = $home; }