Prevent creating users with existing files

Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2019-11-27 10:27:31 +01:00
parent 19935a6a26
commit dd53fad898
No known key found for this signature in database
GPG Key ID: 7076EA9751AACDDA
1 changed files with 19 additions and 7 deletions

View File

@ -294,10 +294,6 @@ class Manager extends PublicEmitter implements IUserManager {
* @return bool|IUser the created user or false * @return bool|IUser the created user or false
*/ */
public function createUser($uid, $password) { public function createUser($uid, $password) {
if (!$this->verifyUid($uid)) {
return false;
}
$localBackends = []; $localBackends = [];
foreach ($this->backends as $backend) { foreach ($this->backends as $backend) {
if ($backend instanceof Database) { if ($backend instanceof Database) {
@ -332,22 +328,30 @@ class Manager extends PublicEmitter implements IUserManager {
// Check the name for bad characters // Check the name for bad characters
// Allowed are: "a-z", "A-Z", "0-9" and "_.@-'" // Allowed are: "a-z", "A-Z", "0-9" and "_.@-'"
if (preg_match('/[^a-zA-Z0-9 _\.@\-\']/', $uid)) { if (preg_match('/[^a-zA-Z0-9 _.@\-\']/', $uid)) {
throw new \InvalidArgumentException($l->t('Only the following characters are allowed in a username:' throw new \InvalidArgumentException($l->t('Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"')); . ' "a-z", "A-Z", "0-9", and "_.@-\'"'));
} }
// No empty username // No empty username
if (trim($uid) === '') { if (trim($uid) === '') {
throw new \InvalidArgumentException($l->t('A valid username must be provided')); throw new \InvalidArgumentException($l->t('A valid username must be provided'));
} }
// No whitespace at the beginning or at the end // No whitespace at the beginning or at the end
if (trim($uid) !== $uid) { if (trim($uid) !== $uid) {
throw new \InvalidArgumentException($l->t('Username contains whitespace at the beginning or at the end')); throw new \InvalidArgumentException($l->t('Username contains whitespace at the beginning or at the end'));
} }
// Username only consists of 1 or 2 dots (directory traversal) // Username only consists of 1 or 2 dots (directory traversal)
if ($uid === '.' || $uid === '..') { if ($uid === '.' || $uid === '..') {
throw new \InvalidArgumentException($l->t('Username must not consist of dots only')); throw new \InvalidArgumentException($l->t('Username must not consist of dots only'));
} }
if (!$this->verifyUid($uid)) {
throw new \InvalidArgumentException($l->t('Username is invalid because files already exist for this user'));
}
// No empty password // No empty password
if (trim($password) === '') { if (trim($password) === '') {
throw new \InvalidArgumentException($l->t('A valid password must be provided')); throw new \InvalidArgumentException($l->t('A valid password must be provided'));
@ -623,10 +627,18 @@ class Manager extends PublicEmitter implements IUserManager {
private function verifyUid(string $uid): bool { private function verifyUid(string $uid): bool {
$appdata = 'appdata_' . $this->config->getSystemValueString('instanceid'); $appdata = 'appdata_' . $this->config->getSystemValueString('instanceid');
if ($uid === '.htaccess' || $uid === 'files_external' || $uid === '.ocdata' || $uid === 'owncloud.log' || $uid === 'nextcloud.log' || $uid === $appdata) { if (\in_array($uid, [
'.htaccess',
'files_external',
'.ocdata',
'owncloud.log',
'nextcloud.log',
$appdata], true)) {
return false; return false;
} }
return true; $dataDirectory = $this->config->getSystemValueString('datadirectory', \OC::$SERVERROOT . '/data');
return !file_exists(rtrim($dataDirectory, '/') . '/' . $uid);
} }
} }