fix(repair): restrict unserialize() in RemoveBrokenProperties

[elicpeter]

• Resolves: #

Summary

RemoveBrokenProperties::run() calls unserialize() on the propertyvalue column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute.

The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked.

No behavior change for valid or broken rows.

Found while testing an in-development static analysis tool I'm building against open-source PHP codebases.

TODO

• ...

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI

[Altahrim]

Looks good, thank you!

[Copilot]

Pull request overview

Hardens the DAV properties repair step by preventing PHP object instantiation during unserialize() when scanning properties.propertyvalue for broken serialized payloads.

Changes:

• Updates RemoveBrokenProperties::run() to call unserialize(..., ['allowed_classes' => false]) when checking whether propertyvalue is broken.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.