diff options
Diffstat (limited to 'apps/user_ldap/lib/Access.php')
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 0b243b8ad59..862089e9d30 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -60,6 +60,8 @@ use OCA\User_LDAP\User\OfflineUser; use OCP\IConfig; use OCP\ILogger; use OCP\IUserManager; +use function strlen; +use function substr; /** * Class Access @@ -579,7 +581,7 @@ class Access extends LDAPUtility { return false; } } else { - $intName = $ldapName; + $intName = $this->sanitizeGroupIDCandidate($ldapName); } //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups @@ -838,6 +840,11 @@ class Access extends LDAPUtility { * @return string|false with with the name to use in Nextcloud or false if unsuccessful */ private function createAltInternalOwnCloudName($name, $isUser) { + // ensure there is space for the "_1234" suffix + if (strlen($name) > 59) { + $name = substr($name, 0, 59); + } + $originalTTL = $this->connection->ldapCacheTTL; $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($isUser) { @@ -1432,6 +1439,10 @@ class Access extends LDAPUtility { // Every remaining disallowed characters will be removed $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name); + if (strlen($name) > 64) { + $name = (string)hash('sha256', $name, false); + } + if ($name === '') { throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); } @@ -1439,6 +1450,18 @@ class Access extends LDAPUtility { return $name; } + public function sanitizeGroupIDCandidate(string $candidate): string { + $candidate = trim($candidate); + if (strlen($candidate) > 64) { + $candidate = (string)hash('sha256', $candidate, false); + } + if ($candidate === '') { + throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); + } + + return $candidate; + } + /** * escapes (user provided) parts for LDAP filter * |