wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4371 from nextcloud/dont-allow-dot-usernames

Browse source 
Better validation of allowed user names
This commit is contained in:
Morris Jobke 2017-04-18 20:04:32 -05:00 committed by GitHub
commit f1ddb939a0
2 changed files with 48 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/private/User/Manager.php
View file

@ -295,9 +295,13 @@ class Manager extends PublicEmitter implements IUserManager {
throw new \Exception($l->t('A valid username must be provided'));
}
// No whitespace at the beginning or at the end
if (strlen(trim($uid, "\t\n\r\0\x0B\xe2\x80\x8b")) !== strlen(trim($uid))) {
if (trim($uid) !== $uid) {
throw new \Exception($l->t('Username contains whitespace at the beginning or at the end'));
}
// Username only consists of 1 or 2 dots (directory traversal)
if ($uid === '.' || $uid === '..') {
throw new \Exception($l->t('Username must not consist of dots only'));
}
// No empty password
if (trim($password) == '') {
throw new \Exception($l->t('A valid password must be provided'));

43
tests/lib/User/ManagerTest.php
View file

@ -256,6 +256,49 @@ class ManagerTest extends TestCase {
$this->assertEquals('foo3', array_shift($result)->getUID());
}
public function dataCreateUserInvalid() {
return [
['te?st', 'foo', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\tst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\nst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\rst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\0st", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\x0Bst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\xe2st", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\x80st", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
["te\x8bst", '', 'Only the following characters are allowed in a username:'
. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
['', 'foo', 'A valid username must be provided'],
[' ', 'foo', 'A valid username must be provided'],
[' test', 'foo', 'Username contains whitespace at the beginning or at the end'],
['test ', 'foo', 'Username contains whitespace at the beginning or at the end'],
['.', 'foo', 'Username must not consist of dots only'],
['..', 'foo', 'Username must not consist of dots only'],
['.test', '', 'A valid password must be provided'],
['test', '', 'A valid password must be provided'],
];
}
/**
* @dataProvider dataCreateUserInvalid
*/
public function testCreateUserInvalid($uid, $password, $exception) {
$this->setExpectedException(\Exception::class, $exception);
$manager = new \OC\User\Manager($this->config);
$manager->createUser($uid, $password);
}
public function testCreateUserSingleBackendNotExists() {
/**
* @var \Test\Util\User\Dummy | \PHPUnit_Framework_MockObject_MockObject $backend