diff options
| author | Georg Ehrke <developer@georgehrke.com> | 2020-09-10 13:55:41 +0300 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2020-09-14 09:20:52 +0300 |
| commit | d87b9dd3f9e7a1e374ac9f5fb7411d0a95c2181e (patch) | |
| tree | f73640aabd774f11ce274cb77dcc6c4be5e00741 /apps | |
| parent | 6ca4627d97705c9f10388bab883ee449b8d93924 (diff) | |
Mitigate encoding issue with user principal uri
Signed-off-by: Georg Ehrke <developer@georgehrke.com>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/Principal.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Principal.php b/apps/dav/lib/Connector/Sabre/Principal.php index 880f082ec42..bd0ee160ebd 100644 --- a/apps/dav/lib/Connector/Sabre/Principal.php +++ b/apps/dav/lib/Connector/Sabre/Principal.php @@ -170,7 +170,11 @@ class Principal implements BackendInterface { } if ($prefix === $this->principalPrefix) { - $user = $this->userManager->get($name); + // Depending on where it is called, it may happen that this function + // is called either with a urlencoded version of the name or with a non-urlencoded one. + // The urldecode function replaces %## and +, both of which are forbidden in usernames. + // Hence there can be no ambiguity here and it is safe to call urldecode on all usernames + $user = $this->userManager->get(urldecode($name)); if ($user !== null) { return $this->userToPrincipal($user); |