From ce8aee4a4ee3afc41176f8eedb23b3bf79e3064b Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Wed, 12 Apr 2017 10:29:28 +0200
Subject: [PATCH] Better validation of allowed user names

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/User/Manager.php   |  6 ++++-
 tests/lib/User/ManagerTest.php | 43 ++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php
index 3d016700ee3..45400d621cb 100644
--- a/lib/private/User/Manager.php
+++ b/lib/private/User/Manager.php
@@ -278,9 +278,13 @@ class Manager extends PublicEmitter implements IUserManager {
 			throw new \Exception($l->t('A valid username must be provided'));
 		}
 		// No whitespace at the beginning or at the end
-		if (strlen(trim($uid, "\t\n\r\0\x0B\xe2\x80\x8b")) !== strlen(trim($uid))) {
+		if (trim($uid) !== $uid) {
 			throw new \Exception($l->t('Username contains whitespace at the beginning or at the end'));
 		}
+		// Username only consists of 1 or 2 dots (directory traversal)
+		if ($uid === '.' || $uid === '..') {
+			throw new \Exception($l->t('Username must not consist of dots only'));
+		}
 		// No empty password
 		if (trim($password) == '') {
 			throw new \Exception($l->t('A valid password must be provided'));
diff --git a/tests/lib/User/ManagerTest.php b/tests/lib/User/ManagerTest.php
index 123271bcc8f..671b2ac57c1 100644
--- a/tests/lib/User/ManagerTest.php
+++ b/tests/lib/User/ManagerTest.php
@@ -256,6 +256,49 @@ class ManagerTest extends TestCase {
 		$this->assertEquals('foo3', array_shift($result)->getUID());
 	}
 
+	public function dataCreateUserInvalid() {
+		return [
+			['te?st', 'foo', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\tst", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\nst", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\rst", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\0st", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\x0Bst", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\xe2st", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\x80st", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			["te\x8bst", '', 'Only the following characters are allowed in a username:'
+				. ' "a-z", "A-Z", "0-9", and "_.@-\'"'],
+			['', 'foo', 'A valid username must be provided'],
+			[' ', 'foo', 'A valid username must be provided'],
+			[' test', 'foo', 'Username contains whitespace at the beginning or at the end'],
+			['test ', 'foo', 'Username contains whitespace at the beginning or at the end'],
+			['.', 'foo', 'Username must not consist of dots only'],
+			['..', 'foo', 'Username must not consist of dots only'],
+			['.test', '', 'A valid password must be provided'],
+			['test', '', 'A valid password must be provided'],
+		];
+	}
+
+	/**
+	 * @dataProvider dataCreateUserInvalid
+	 */
+	public function testCreateUserInvalid($uid, $password, $exception) {
+
+		$this->setExpectedException(\Exception::class, $exception);
+
+		$manager = new \OC\User\Manager($this->config);
+		$manager->createUser($uid, $password);
+
+	}
+
 	public function testCreateUserSingleBackendNotExists() {
 		/**
 		 * @var \Test\Util\User\Dummy | \PHPUnit_Framework_MockObject_MockObject $backend
-- 
2.39.5