From: Christopher Ng <chrng8@gmail.com>
Date: Tue, 28 Jun 2022 18:03:15 +0000 (+0000)
Subject: Do not save invalid display name to the database
X-Git-Tag: v24.0.3rc1~10^2~2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=51e20dd6c56e8f9221f9019f83a2abe61a90c4f6;p=nextcloud-server.git

Do not save invalid display name to the database

Signed-off-by: Christopher Ng <chrng8@gmail.com>
---

diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php
index a26479ba0a8..839ac404c94 100644
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@@ -837,7 +837,9 @@ class UsersController extends AUserData {
 		switch ($key) {
 			case self::USER_FIELD_DISPLAYNAME:
 			case IAccountManager::PROPERTY_DISPLAYNAME:
-				$targetUser->setDisplayName($value);
+				if (!$targetUser->setDisplayName($value)) {
+					throw new OCSException('Invalid displayname', 102);
+				}
 				break;
 			case self::USER_FIELD_QUOTA:
 				$quota = $value;
diff --git a/lib/private/User/Database.php b/lib/private/User/Database.php
index a9464c27085..1470409c862 100644
--- a/lib/private/User/Database.php
+++ b/lib/private/User/Database.php
@@ -215,6 +215,10 @@ class Database extends ABackend implements
 	 * Change the display name of a user
 	 */
 	public function setDisplayName(string $uid, string $displayName): bool {
+		if (mb_strlen($displayName) > 64) {
+			return false;
+		}
+
 		$this->fixDI();
 
 		if ($this->userExists($uid)) {