mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Better validation of allowed user names 

Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2017-04-12 10:29:28 +02:00
parent 867950a78b
commit ce8aee4a4e
No known key found for this signature in database
GPG Key ID: E166FD8976B3BAC8
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/private/User/Manager.php
View File

@ -278,9 +278,13 @@ class Manager extends PublicEmitter implements IUserManager {
throw new \Exception($l->t('A valid username must be provided'));
}
// No whitespace at the beginning or at the end
if (strlen(trim($uid, "\t\n\r\0\x0B\xe2\x80\x8b")) !== strlen(trim($uid))) {
if (trim($uid) !== $uid) {
throw new \Exception($l->t('Username contains whitespace at the beginning or at the end'));
}
// Username only consists of 1 or 2 dots (directory traversal)
if ($uid === '.' || $uid === '..') {
throw new \Exception($l->t('Username must not consist of dots only'));
}
// No empty password
if (trim($password) == '') {
throw new \Exception($l->t('A valid password must be provided'));

43
tests/lib/User/ManagerTest.php
View File

@ -256,6 +256,49 @@ class ManagerTest extends TestCase {
$this->assertEquals('foo3', array_shift($result)->getUID());
}
public function dataCreateUserInvalid() {
return [
['te?st', 'foo', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\tst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\nst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\rst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\0st", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\x0Bst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\xe2st", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\x80st", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\x8bst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
['', 'foo', 'A valid username must be provided'],
[' ', 'foo', 'A valid username must be provided'],
[' test', 'foo', 'Username contains whitespace at the beginning or at the end'],
['test ', 'foo', 'Username contains whitespace at the beginning or at the end'],
['.', 'foo', 'Username must not consist of dots only'],
['..', 'foo', 'Username must not consist of dots only'],
['.test', '', 'A valid password must be provided'],
['test', '', 'A valid password must be provided'],
];
}
/**
* @dataProvider dataCreateUserInvalid
*/
public function testCreateUserInvalid($uid, $password, $exception) {
$this->setExpectedException(\Exception::class, $exception);
$manager = new \OC\User\Manager($this->config);
$manager->createUser($uid, $password);
}
public function testCreateUserSingleBackendNotExists() {
/**
* @var \Test\Util\User\Dummy | \PHPUnit_Framework_MockObject_MockObject $backend