From 763a7c114ff1be977a5b882ae70cec8ecd91996e Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Fri, 2 Mar 2018 17:44:06 +0100 Subject: [PATCH] do not create empty userid when attribute does not have allowed chars Signed-off-by: Arthur Schiwon --- apps/user_ldap/lib/Access.php | 32 ++++++++++++++++++++++++----- apps/user_ldap/tests/AccessTest.php | 31 ++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index c16e9bf9f15..a805c63ffc1 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -562,7 +562,19 @@ class Access extends LDAPUtility implements IUserTools { } else { $username = $uuid; } - $intName = $this->sanitizeUsername($username); + try { + $intName = $this->sanitizeUsername($username); + } catch (\InvalidArgumentException $e) { + \OC::$server->getLogger()->logException($e, [ + 'app' => 'user_ldap', + 'level' => Util::WARN, + ]); + // we don't attempt to set a username here. We can go for + // for an alternative 4 digit random number as we would append + // otherwise, however it's likely not enough space in bigger + // setups, and most importantly: this is not intended. + return false; + } } else { $intName = $ldapName; } @@ -1252,16 +1264,22 @@ class Access extends LDAPUtility implements IUserTools { /** * @param string $name - * @return bool|mixed|string + * @return string + * @throws \InvalidArgumentException */ public function sanitizeUsername($name) { + $name = trim($name); + if($this->connection->ldapIgnoreNamingRules) { return $name; } - // Transliteration - // latin characters to ASCII - $name = iconv('UTF-8', 'ASCII//TRANSLIT', $name); + // Transliteration to ASCII + $transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name); + if($transliterated !== false) { + // depending on system config iconv can work or not + $name = $transliterated; + } // Replacements $name = str_replace(' ', '_', $name); @@ -1269,6 +1287,10 @@ class Access extends LDAPUtility implements IUserTools { // Every remaining disallowed characters will be removed $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name); + if($name === '') { + throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); + } + return $name; } diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php index 85f0516dec2..8bbaa73a510 100644 --- a/apps/user_ldap/tests/AccessTest.php +++ b/apps/user_ldap/tests/AccessTest.php @@ -428,4 +428,35 @@ class AccessTest extends \Test\TestCase { $this->assertTrue($this->access->setPassword('CN=foo', 'MyPassword')); } + public function intUsernameProvider() { + // system dependent :-/ + $translitExpected = @iconv('UTF-8', 'ASCII//TRANSLIT', 'fränk') ? 'frank' : 'frnk'; + + return [ + ['alice', 'alice'], + ['b/ob', 'bob'], + ['charly🐬', 'charly'], + ['debo rah', 'debo_rah'], + ['epost@poste.test', 'epost@poste.test'], + ['fränk', $translitExpected], + [' gerda ', 'gerda'], + ['🕱🐵🐘🐑', null] + ]; + } + + /** + * @dataProvider intUsernameProvider + * + * @param $name + * @param $expected + */ + public function testSanitizeUsername($name, $expected) { + if($expected === null) { + $this->expectException(\InvalidArgumentException::class); + } + $sanitizedName = $this->access->sanitizeUsername($name); + $this->assertSame($expected, $sanitizedName); + } + + } -- 2.39.5