Converter::updateCard unconditionally *adds* image to user vCard #26242

Closed
shtrom opened this Issue Sep 28, 2016 · 6 comments

Projects

None yet

3 participants

@shtrom
Contributor
shtrom commented Sep 28, 2016

Steps to reproduce

  1. use the user_ldap plugin (which updates the avatar from LDAP after each login: https://github.com/owncloud/user_ldap/blob/master/lib/User/User.php#L474-L483)
  2. set a user image in LDAP
  3. watch as the PHOTO field is repeatedly added to the user's vCard blob in oc_cards, until the database can hold no more (triggering doctrine/dbal#2523 in passing)

Expected behaviour

Only one PHOTO field is present in the vCard

Actual behaviour

Duplicate PHOTO fields keep getting added to the user's vCard

Cause

Converter::updateCard unconditionally adds the given photo to the vCard, rather than replace it: https://github.com/owncloud/core/blob/a9e633db0cd04cb6288ce74c197153920a0b4665/apps/dav/lib/CardDAV/Converter.php#L93-L96 ; probably a missing unset($vCard->PHOTO);?

Server configuration

Operating system: OpenBSD 6.0

Web server: apache-httpd-2.4.23

Database: MySQL (mariadb-server-10.0.25p0v1)

PHP version: php-5.6.23p0

ownCloud version: (see ownCloud admin page) 9.0.2

Updated from an older ownCloud or fresh install: updated

Where did you install ownCloud from: OpenBSD ports

@shtrom shtrom added a commit to shtrom/owncloud-core that referenced this issue Sep 28, 2016
@shtrom shtrom Unset user PHOTO before setting new one in OCA\DAV\CardDAV\Converter:…
…:updateCard

Signed-off-by: Olivier Mehani <shtrom@ssji.net>

#26242
9c2b279
@DeepDiver1975 DeepDiver1975 added this to the 9.0.6 milestone Sep 29, 2016
@DeepDiver1975 DeepDiver1975 added the bug label Sep 29, 2016
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Sep 29, 2016
@shtrom @DeepDiver1975 shtrom + DeepDiver1975 Unset user PHOTO before setting new one in OCA\DAV\CardDAV\Converter:…
…:updateCard (#26243)

Signed-off-by: Olivier Mehani <shtrom@ssji.net>

#26242
87d67a0
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Sep 29, 2016
@shtrom @DeepDiver1975 shtrom + DeepDiver1975 [stable9.1] Unset user PHOTO before setting new one in OCA\DAV\CardDA…
…V\Converter::updateCard (#26243)

Signed-off-by: Olivier Mehani <shtrom@ssji.net>

#26242
580f7a2
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Sep 30, 2016
@DeepDiver1975 DeepDiver1975 [stable9.1] Unset user PHOTO before setting new one in OCA\DAV\CardDA…
…V\Converter::updateCard (#26243) (#26246)

Signed-off-by: Olivier Mehani <shtrom@ssji.net>

#26242
058c79a
@DeepDiver1975
Member

all prs got merged - THX

@fmkaiser

@DeepDiver1975 sorry to re-open this, but it appears the fix was not backported to 9.0 despite being mentioned in the release notes.

We just stumbled across this issue again in 9.0.6 EE.

@DeepDiver1975
Member

This is true - just a sec ....

@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Jan 20, 2017
@DeepDiver1975 DeepDiver1975 Unset user PHOTO before setting new one in OCA\DAV\CardDAV\Converter…
…::updateCard - backport of #26242
25875ba
@DeepDiver1975
Member

@fmkaiser here we go - please test - THX

#26991

@fmkaiser

@DeepDiver1975 I applied the fix on our servers (on top of 9.0.6 EE).

Looks good so far, but I'd like to watch it for a bit longer and will come back to you on Monday.

Our case was a bit differnet than described in the initial report.
Same outcome - oc_cards.carddata grows with more and more PHOTO objects until MySQL max_allowed_packet is reached, then the user can't log in anymore.
However while we do use LDAP, we don't have any user images in it, the users that were affected uploaded their avatar in ownCloud.

My guess is that the avatar somehow still gets written to the DB on LDAP sync, so it is likely the same bug.

@fmkaiser

@DeepDiver1975 looks good still, thanks again for the quick reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment