Better validation of allowed user names

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php
index b62b04febafa05f71d3db4968519572e67a54960..6220613cbb18f00b64cd5ee9ded80e40d3606ef0 100644 (file)
--- a/lib/private/User/Manager.php
+++ b/lib/private/User/Manager.php
@@ -295,9 +295,13 @@ class Manager extends PublicEmitter implements IUserManager {
                        throw new \Exception($l->t('A valid username must be provided'));
                }
                // No whitespace at the beginning or at the end
-               if (strlen(trim($uid, "\t\n\r\0\x0B\xe2\x80\x8b")) !== strlen(trim($uid))) {
+               if (trim($uid) !== $uid) {
                        throw new \Exception($l->t('Username contains whitespace at the beginning or at the end'));
                }
+               // Username only consists of 1 or 2 dots (directory traversal)
+               if ($uid === '.' || $uid === '..') {
+                       throw new \Exception($l->t('Username must not consist of dots only'));
+               }
                // No empty password
                if (trim($password) == '') {
                        throw new \Exception($l->t('A valid password must be provided'));

diff --git a/tests/lib/User/ManagerTest.php b/tests/lib/User/ManagerTest.php
index 123271bcc8fb5e50c1f6933a6d1dcde7e7445afa..671b2ac57c1d5a9f2ea51ea711924157e0878ade 100644 (file)
--- a/tests/lib/User/ManagerTest.php
+++ b/tests/lib/User/ManagerTest.php
@@ -256,6 +256,49 @@ class ManagerTest extends TestCase {
                $this->assertEquals('foo3', array_shift($result)->getUID());
        }
 
+       public function dataCreateUserInvalid() {
+               return [
+                       ['te?st', 'foo', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\tst", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\nst", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\rst", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\0st", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\x0Bst", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\xe2st", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\x80st", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ["te\x8bst", '', 'Only the following characters are allowed in a username:'
+                               . ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+                       ['', 'foo', 'A valid username must be provided'],
+                       [' ', 'foo', 'A valid username must be provided'],
+                       [' test', 'foo', 'Username contains whitespace at the beginning or at the end'],
+                       ['test ', 'foo', 'Username contains whitespace at the beginning or at the end'],
+                       ['.', 'foo', 'Username must not consist of dots only'],
+                       ['..', 'foo', 'Username must not consist of dots only'],
+                       ['.test', '', 'A valid password must be provided'],
+                       ['test', '', 'A valid password must be provided'],
+               ];
+       }
+
+       /**
+        * @dataProvider dataCreateUserInvalid
+        */
+       public function testCreateUserInvalid($uid, $password, $exception) {
+
+               $this->setExpectedException(\Exception::class, $exception);
+
+               $manager = new \OC\User\Manager($this->config);
+               $manager->createUser($uid, $password);
+
+       }
+
        public function testCreateUserSingleBackendNotExists() {
                /**
                 * @var \Test\Util\User\Dummy | \PHPUnit_Framework_MockObject_MockObject $backend