Skip to content

fix(activesync): harden base64 URI decoding for GET requests#73

Merged
ralflang merged 1 commit into
FRAMEWORK_6_0from
fix/decode-base64-uri-validation
Jul 1, 2026
Merged

fix(activesync): harden base64 URI decoding for GET requests#73
ralflang merged 1 commit into
FRAMEWORK_6_0from
fix/decode-base64-uri-validation

Conversation

@TDannhauer

Copy link
Copy Markdown
Contributor

Summary

  • Harden Horde_ActiveSync_Utils::decodeBase64() against malformed QUERY_STRING values
  • Add missing EAS command codes (GetHierarchy through Find)
  • Skip DeviceType normalization when decoding fails

Motivation

Non-ActiveSync requests hitting the ActiveSync endpoint with a long enough QUERY_STRING were base64-decoded as garbage, producing PHP warnings for unknown command bytes, failed unpack() calls, and undefined DeviceType access in getGetVars().

Changes

  • Validate strict base64 decoding, header length, known command codes, and length-prefixed fields before unpack()
  • Return an empty array instead of partial invalid results
  • Guard DeviceType normalization with ?? '' and only accept decoded results when Cmd is present
  • Add unit test for invalid payloads

Test plan

  • vendor/bin/phpunit --bootstrap vendor/autoload.php vendor/horde/activesync/test/unit/Horde/ActiveSync/UtilsTest.php
  • Confirm ActiveSync device sync still works with real base64-encoded URIs

Reject malformed QUERY_STRING payloads before unpack() instead of
logging PHP warnings for unknown commands and truncated device IDs.
Add missing EAS command codes and skip DeviceType normalization when
decode returns no Cmd.
@TDannhauer TDannhauer requested a review from ralflang July 1, 2026 10:02
@ralflang ralflang merged commit 3ec2b2a into FRAMEWORK_6_0 Jul 1, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants