diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-12-05 10:30:00 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-12-05 10:30:00 +0100 |
| commit | 04c2b5fcb12a8553913381b05204e8c4b55e71b5 (patch) | |
| tree | 51a950fb23f931740b24c58c969a77547794bf94 /lib | |
| parent | 6f540fc09d181ffffb3f698260fdda39a8c58843 (diff) | |
| parent | 6004f6208531f9ff7e39799db39209d5a445555d (diff) | |
| download | nextcloud-server-04c2b5fcb12a8553913381b05204e8c4b55e71b5.tar.gz nextcloud-server-04c2b5fcb12a8553913381b05204e8c4b55e71b5.zip | |
Merge pull request #18130 from nextcloud/bugfix/noid/prevent-creating-users-with-existing-files
Prevent creating users with existing files
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/User/Manager.php | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php index 29cae3da79b..9bb0aff5cd7 100644 --- a/lib/private/User/Manager.php +++ b/lib/private/User/Manager.php @@ -294,10 +294,6 @@ class Manager extends PublicEmitter implements IUserManager { * @return bool|IUser the created user or false */ public function createUser($uid, $password) { - if (!$this->verifyUid($uid)) { - return false; - } - $localBackends = []; foreach ($this->backends as $backend) { if ($backend instanceof Database) { @@ -332,22 +328,30 @@ class Manager extends PublicEmitter implements IUserManager { // Check the name for bad characters // Allowed are: "a-z", "A-Z", "0-9" and "_.@-'" - if (preg_match('/[^a-zA-Z0-9 _\.@\-\']/', $uid)) { + if (preg_match('/[^a-zA-Z0-9 _.@\-\']/', $uid)) { throw new \InvalidArgumentException($l->t('Only the following characters are allowed in a username:' . ' "a-z", "A-Z", "0-9", and "_.@-\'"')); } + // No empty username if (trim($uid) === '') { throw new \InvalidArgumentException($l->t('A valid username must be provided')); } + // No whitespace at the beginning or at the end if (trim($uid) !== $uid) { throw new \InvalidArgumentException($l->t('Username contains whitespace at the beginning or at the end')); } + // Username only consists of 1 or 2 dots (directory traversal) if ($uid === '.' || $uid === '..') { throw new \InvalidArgumentException($l->t('Username must not consist of dots only')); } + + if (!$this->verifyUid($uid)) { + throw new \InvalidArgumentException($l->t('Username is invalid because files already exist for this user')); + } + // No empty password if (trim($password) === '') { throw new \InvalidArgumentException($l->t('A valid password must be provided')); @@ -623,10 +627,18 @@ class Manager extends PublicEmitter implements IUserManager { private function verifyUid(string $uid): bool { $appdata = 'appdata_' . $this->config->getSystemValueString('instanceid'); - if ($uid === '.htaccess' || $uid === 'files_external' || $uid === '.ocdata' || $uid === 'owncloud.log' || $uid === 'nextcloud.log' || $uid === $appdata) { + if (\in_array($uid, [ + '.htaccess', + 'files_external', + '.ocdata', + 'owncloud.log', + 'nextcloud.log', + $appdata], true)) { return false; } - return true; + $dataDirectory = $this->config->getSystemValueString('datadirectory', \OC::$SERVERROOT . '/data'); + + return !file_exists(rtrim($dataDirectory, '/') . '/' . $uid); } } |