diff options
Diffstat (limited to 'lib/private/User')
| -rw-r--r-- | lib/private/User/Manager.php | 70 | ||||
| -rw-r--r-- | lib/private/User/Session.php | 3 |
2 files changed, 46 insertions, 27 deletions
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php index dc31eece414..82fc4d818ad 100644 --- a/lib/private/User/Manager.php +++ b/lib/private/User/Manager.php @@ -44,6 +44,8 @@ use OCP\IGroup; use OCP\IUser; use OCP\IUserBackend; use OCP\IUserManager; +use OCP\L10N\IFactory; +use OCP\Server; use OCP\Support\Subscription\IAssertion; use OCP\User\Backend\IGetRealUIDBackend; use OCP\User\Backend\ISearchKnownUsersBackend; @@ -427,31 +429,7 @@ class Manager extends PublicEmitter implements IUserManager { public function createUserFromBackend($uid, $password, UserInterface $backend) { $l = \OC::$server->getL10N('lib'); - // Check the name for bad characters - // Allowed are: "a-z", "A-Z", "0-9" and "_.@-'" - if (preg_match('/[^a-zA-Z0-9 _.@\-\']/', $uid)) { - throw new \InvalidArgumentException($l->t('Only the following characters are allowed in a username:' - . ' "a-z", "A-Z", "0-9", and "_.@-\'"')); - } - - // No empty username - if (trim($uid) === '') { - throw new \InvalidArgumentException($l->t('A valid username must be provided')); - } - - // No whitespace at the beginning or at the end - if (trim($uid) !== $uid) { - throw new \InvalidArgumentException($l->t('Username contains whitespace at the beginning or at the end')); - } - - // Username only consists of 1 or 2 dots (directory traversal) - if ($uid === '.' || $uid === '..') { - throw new \InvalidArgumentException($l->t('Username must not consist of dots only')); - } - - if (!$this->verifyUid($uid)) { - throw new \InvalidArgumentException($l->t('Username is invalid because files already exist for this user')); - } + $this->validateUserId($uid, true); // No empty password if (trim($password) === '') { @@ -726,7 +704,43 @@ class Manager extends PublicEmitter implements IUserManager { })); } - private function verifyUid(string $uid): bool { + /** + * @param string $uid + * @param bool $checkDataDirectory + * @throws \InvalidArgumentException Message is an already translated string with a reason why the id is not valid + * @since 26.0.0 + */ + public function validateUserId(string $uid, bool $checkDataDirectory = false): void { + $l = Server::get(IFactory::class)->get('lib'); + + // Check the name for bad characters + // Allowed are: "a-z", "A-Z", "0-9" and "_.@-'" + if (preg_match('/[^a-zA-Z0-9 _.@\-\']/', $uid)) { + throw new \InvalidArgumentException($l->t('Only the following characters are allowed in a username:' + . ' "a-z", "A-Z", "0-9", and "_.@-\'"')); + } + + // No empty username + if (trim($uid) === '') { + throw new \InvalidArgumentException($l->t('A valid username must be provided')); + } + + // No whitespace at the beginning or at the end + if (trim($uid) !== $uid) { + throw new \InvalidArgumentException($l->t('Username contains whitespace at the beginning or at the end')); + } + + // Username only consists of 1 or 2 dots (directory traversal) + if ($uid === '.' || $uid === '..') { + throw new \InvalidArgumentException($l->t('Username must not consist of dots only')); + } + + if (!$this->verifyUid($uid, $checkDataDirectory)) { + throw new \InvalidArgumentException($l->t('Username is invalid because files already exist for this user')); + } + } + + private function verifyUid(string $uid, bool $checkDataDirectory = false): bool { $appdata = 'appdata_' . $this->config->getSystemValueString('instanceid'); if (\in_array($uid, [ @@ -740,6 +754,10 @@ class Manager extends PublicEmitter implements IUserManager { return false; } + if (!$checkDataDirectory) { + return true; + } + $dataDirectory = $this->config->getSystemValueString('datadirectory', \OC::$SERVERROOT . '/data'); return !file_exists(rtrim($dataDirectory, '/') . '/' . $uid); diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index f9ad1f72ab8..c7b11e22504 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -371,6 +371,7 @@ class Session implements IUserSession, Emitter { if ($regenerateSessionId) { $this->session->regenerateId(); + $this->session->remove(Auth::DAV_AUTHENTICATED); } $this->setUser($user); @@ -457,7 +458,7 @@ class Session implements IUserSession, Emitter { $throttler->registerAttempt('login', $request->getRemoteAddress(), ['user' => $user]); - $this->dispatcher->dispatchTyped(new OC\Authentication\Events\LoginFailed($user)); + $this->dispatcher->dispatchTyped(new OC\Authentication\Events\LoginFailed($user, $password)); if ($currentDelay === 0) { $throttler->sleepDelay($request->getRemoteAddress(), 'login'); |