diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2021-09-17 19:15:46 +0200 |
|---|---|---|
| committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2021-09-24 17:29:29 +0200 |
| commit | 6ab30a669b3dde5dce2b63fb33b1ec44f1889b2f (patch) | |
| tree | dab547fb88f9793df972c92972590a4ce484e949 /apps/user_ldap/lib/Access.php | |
| parent | fb904a9670369aab244b2f3fe3cec8fb65b0c277 (diff) | |
| download | nextcloud-server-6ab30a669b3dde5dce2b63fb33b1ec44f1889b2f.tar.gz nextcloud-server-6ab30a669b3dde5dce2b63fb33b1ec44f1889b2f.zip | |
ensure that user and group IDs in LDAP's tables are also max 64chars
- limitation by core tables (e.g. sharing), IDs are always 64chars
- when longer group IDs were requested they are hashed (does not affect
displaynames)
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'apps/user_ldap/lib/Access.php')
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 33329c0f03a..14178023e12 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -59,6 +59,8 @@ use OCP\HintException; use OCP\IConfig; use OCP\ILogger; use OCP\IUserManager; +use function strlen; +use function substr; /** * Class Access @@ -578,7 +580,7 @@ class Access extends LDAPUtility { return false; } } else { - $intName = $ldapName; + $intName = $this->sanitizeGroupIDCandidate($ldapName); } //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups @@ -837,6 +839,11 @@ class Access extends LDAPUtility { * @return string|false with with the name to use in Nextcloud or false if unsuccessful */ private function createAltInternalOwnCloudName($name, $isUser) { + // ensure there is space for the "_1234" suffix + if (strlen($name) > 59) { + $name = substr($name, 0, 59); + } + $originalTTL = $this->connection->ldapCacheTTL; $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($isUser) { @@ -1431,6 +1438,10 @@ class Access extends LDAPUtility { // Every remaining disallowed characters will be removed $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name); + if (strlen($name) > 64) { + $name = (string)hash('sha256', $name, false); + } + if ($name === '') { throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); } @@ -1438,6 +1449,18 @@ class Access extends LDAPUtility { return $name; } + public function sanitizeGroupIDCandidate(string $candidate): string { + $candidate = trim($candidate); + if (strlen($candidate) > 64) { + $candidate = (string)hash('sha256', $candidate, false); + } + if ($candidate === '') { + throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); + } + + return $candidate; + } + /** * escapes (user provided) parts for LDAP filter * |