From 1defaf241581a3b1d5a99be99c43ea3ffec0b0e2 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 22 Jun 2026 20:04:14 +0200
Subject: [PATCH 1/2] perf: block all '{DAV:}' custom properties except for
 'displayname'

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 apps/dav/lib/DAV/CustomPropertiesBackend.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php
index 5fac0b17dff27..6e07809c6770b 100644
--- a/apps/dav/lib/DAV/CustomPropertiesBackend.php
+++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php
@@ -85,6 +85,15 @@ class CustomPropertiesBackend implements BackendInterface {
 		'{http://owncloud.org/ns}enabled',
 	];
 
+	/**
+	 * Allowed properties for the dav namespace, all other properties in the namespace are ignored
+	 *
+	 * @var string[]
+	 */
+	private const ALLOWED_DAV_PROPERTIES = [
+		'{DAV:}displayname',
+	];
+
 	/**
 	 * Properties set by one user, readable by all others
 	 *
@@ -275,6 +284,9 @@ private function isPropertyAllowed(string $property): bool {
 		if (in_array($property, self::IGNORED_PROPERTIES)) {
 			return false;
 		}
+		if (str_starts_with($property, '{DAV:}')) {
+			return in_array($property, self::ALLOWED_DAV_PROPERTIES);
+		}
 		if (str_starts_with($property, '{http://owncloud.org/ns}') || str_starts_with($property, '{http://nextcloud.org/ns}')) {
 			return in_array($property, self::ALLOWED_NC_PROPERTIES);
 		}

From 7cba53a49c503621e2e2f27e3d9d38cbb364217a Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 22 Jun 2026 20:04:41 +0200
Subject: [PATCH 2/2] perf: block all
 '{http://open-collaboration-services.org/ns}' custom properties

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 apps/dav/lib/DAV/CustomPropertiesBackend.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php
index 6e07809c6770b..b9126b9b39f3b 100644
--- a/apps/dav/lib/DAV/CustomPropertiesBackend.php
+++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php
@@ -284,6 +284,9 @@ private function isPropertyAllowed(string $property): bool {
 		if (in_array($property, self::IGNORED_PROPERTIES)) {
 			return false;
 		}
+		if (str_starts_with($property, '{http://open-collaboration-services.org/ns}')) {
+			return false;
+		}
 		if (str_starts_with($property, '{DAV:}')) {
 			return in_array($property, self::ALLOWED_DAV_PROPERTIES);
 		}