Move the Null-Byte LDAP check to the user manager

The existing method is deprecated and just a wrapper around the manager method. Since in the future other code paths might call this function instead we need to perform that check here.

Related to http://owncloud.org/security/advisory/?id=oc-sa-2014-020

diff --git a/lib/private/user.php b/lib/private/user.php
index ff45e9e26a640a32c1513ad51fdfe03ce210e752..2964b58ba14505ba9a8fad0d5c3f37074986c083 100644 (file)
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -212,9 +212,6 @@ class OC_User {
         * Log in a user and regenerate a new session - if the password is ok
         */
        public static function login($loginname, $password) {
-               $loginname = str_replace("\0", '', $loginname);
-               $password = str_replace("\0", '', $password);
-
                session_regenerate_id(true);
                $result = self::getUserSession()->login($loginname, $password);
                if ($result) {

diff --git a/lib/private/user/manager.php b/lib/private/user/manager.php
index 1bc3b51c2ef5e09ccd0aae37bccfed8cc2df949f..2c56ea261d68497ff6e00d58685fbbd22884dcbe 100644 (file)
--- a/lib/private/user/manager.php
+++ b/lib/private/user/manager.php
@@ -151,6 +151,9 @@ class Manager extends PublicEmitter implements IUserManager {
         * @return mixed the User object on success, false otherwise
         */
        public function checkPassword($loginname, $password) {
+               $loginname = str_replace("\0", '', $loginname);
+               $password = str_replace("\0", '', $password);
+               
                foreach ($this->backends as $backend) {
                        if ($backend->implementsActions(\OC_User_Backend::CHECK_PASSWORD)) {
                                $uid = $backend->checkPassword($loginname, $password);