diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2014-12-17 12:47:00 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2014-12-17 12:47:00 +0100 |
| commit | f6820406b6a345a28878bbd5336eff331627b1a6 (patch) | |
| tree | 917437fd565a6169c922d3b173b6e260d3f4c0e6 /lib/private/user | |
| parent | 77c4c2856aa4cb27ca6ab77e5bedbaa65300d111 (diff) | |
| download | nextcloud-server-f6820406b6a345a28878bbd5336eff331627b1a6.tar.gz nextcloud-server-f6820406b6a345a28878bbd5336eff331627b1a6.zip | |
Move the Null-Byte LDAP check to the user manager
The existing method is deprecated and just a wrapper around the manager method. Since in the future other code paths might call this function instead we need to perform that check here.
Related to http://owncloud.org/security/advisory/?id=oc-sa-2014-020
Diffstat (limited to 'lib/private/user')
| -rw-r--r-- | lib/private/user/manager.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/private/user/manager.php b/lib/private/user/manager.php index 1bc3b51c2ef..2c56ea261d6 100644 --- a/lib/private/user/manager.php +++ b/lib/private/user/manager.php @@ -151,6 +151,9 @@ class Manager extends PublicEmitter implements IUserManager { * @return mixed the User object on success, false otherwise */ public function checkPassword($loginname, $password) { + $loginname = str_replace("\0", '', $loginname); + $password = str_replace("\0", '', $password); + foreach ($this->backends as $backend) { if ($backend->implementsActions(\OC_User_Backend::CHECK_PASSWORD)) { $uid = $backend->checkPassword($loginname, $password); |