Mitigate encoding issue with user principal uri

Signed-off-by: Georg Ehrke <developer@georgehrke.com>
This commit is contained in:
Georg Ehrke 2020-09-10 12:55:41 +02:00 committed by backportbot[bot]
parent 9e88559e94
commit ac87e46dff
1 changed files with 5 additions and 1 deletions

View File

@ -168,7 +168,11 @@ class Principal implements BackendInterface {
} }
if ($prefix === $this->principalPrefix) { if ($prefix === $this->principalPrefix) {
$user = $this->userManager->get($name); // Depending on where it is called, it may happen that this function
// is called either with a urlencoded version of the name or with a non-urlencoded one.
// The urldecode function replaces %## and +, both of which are forbidden in usernames.
// Hence there can be no ambiguity here and it is safe to call urldecode on all usernames
$user = $this->userManager->get(urldecode($name));
if ($user !== null) { if ($user !== null) {
return $this->userToPrincipal($user); return $this->userToPrincipal($user);