diff options
| author | Joas Schilling <coding@schilljs.com> | 2017-04-12 10:29:28 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2017-04-18 14:29:34 +0200 |
| commit | a3922bbcdc04d13c4e9614e0a29506c2fc8c7989 (patch) | |
| tree | 53e719877d12b186d1ebe20145d58975da80c280 /lib | |
| parent | b072d2c49d6f61c2b55abf12e04bdf2166dbd4f4 (diff) | |
| download | nextcloud-server-a3922bbcdc04d13c4e9614e0a29506c2fc8c7989.tar.gz nextcloud-server-a3922bbcdc04d13c4e9614e0a29506c2fc8c7989.zip | |
Better validation of allowed user names
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/User/Manager.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php index b62b04febaf..6220613cbb1 100644 --- a/lib/private/User/Manager.php +++ b/lib/private/User/Manager.php @@ -295,9 +295,13 @@ class Manager extends PublicEmitter implements IUserManager { throw new \Exception($l->t('A valid username must be provided')); } // No whitespace at the beginning or at the end - if (strlen(trim($uid, "\t\n\r\0\x0B\xe2\x80\x8b")) !== strlen(trim($uid))) { + if (trim($uid) !== $uid) { throw new \Exception($l->t('Username contains whitespace at the beginning or at the end')); } + // Username only consists of 1 or 2 dots (directory traversal) + if ($uid === '.' || $uid === '..') { + throw new \Exception($l->t('Username must not consist of dots only')); + } // No empty password if (trim($password) == '') { throw new \Exception($l->t('A valid password must be provided')); |