diff options
| author | Georg Ehrke <developer@georgehrke.com> | 2020-09-10 12:55:41 +0200 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2020-09-14 06:20:36 +0000 |
| commit | 0322268f1338addfce6c0b2d2ff5f8c082d48e84 (patch) | |
| tree | 0678d6947d3cc63bdeb4a46ad4c9c990f81a2b0d | |
| parent | 5b8f18e3c0df762e1cdb07cff357cef5d95f63ac (diff) | |
| download | nextcloud-server-0322268f1338addfce6c0b2d2ff5f8c082d48e84.tar.gz nextcloud-server-0322268f1338addfce6c0b2d2ff5f8c082d48e84.zip | |
Mitigate encoding issue with user principal uri
Signed-off-by: Georg Ehrke <developer@georgehrke.com>
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/Principal.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Principal.php b/apps/dav/lib/Connector/Sabre/Principal.php index 449275e982f..2e5717f44a6 100644 --- a/apps/dav/lib/Connector/Sabre/Principal.php +++ b/apps/dav/lib/Connector/Sabre/Principal.php @@ -168,7 +168,11 @@ class Principal implements BackendInterface { } if ($prefix === $this->principalPrefix) { - $user = $this->userManager->get($name); + // Depending on where it is called, it may happen that this function + // is called either with a urlencoded version of the name or with a non-urlencoded one. + // The urldecode function replaces %## and +, both of which are forbidden in usernames. + // Hence there can be no ambiguity here and it is safe to call urldecode on all usernames + $user = $this->userManager->get(urldecode($name)); if ($user !== null) { return $this->userToPrincipal($user); |