Merge pull request #8673 from nextcloud/stable13-8634

[stable13] do not create empty userid when attribute does not have allowed chars

2 files changed, 59 insertions, 6 deletions

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index c255af028a9..54467857793 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -580,7 +580,19 @@ class Access extends LDAPUtility implements IUserTools {
 			} else {
 				$username = $uuid;
 			}
-			$intName = $this->sanitizeUsername($username);
+			try {
+				$intName = $this->sanitizeUsername($username);
+			} catch (\InvalidArgumentException $e) {
+				\OC::$server->getLogger()->logException($e, [
+					'app' => 'user_ldap',
+					'level' => Util::WARN,
+				]);
+				// we don't attempt to set a username here. We can go for
+				// for an alternative 4 digit random number as we would append
+				// otherwise, however it's likely not enough space in bigger
+				// setups, and most importantly: this is not intended.
+				return false;
+			}
 		} else {
 			$intName = $ldapName;
 		}
@@ -1294,16 +1306,22 @@ class Access extends LDAPUtility implements IUserTools {
 
 	/**
 	 * @param string $name
-	 * @return bool|mixed|string
+	 * @return string
+	 * @throws \InvalidArgumentException
 	 */
 	public function sanitizeUsername($name) {
+		$name = trim($name);
+
 		if($this->connection->ldapIgnoreNamingRules) {
-			return trim($name);
+			return $name;
 		}
 
-		// Transliteration
-		// latin characters to ASCII
-		$name = iconv('UTF-8', 'ASCII//TRANSLIT', $name);
+		// Transliteration to ASCII
+		$transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name);
+		if($transliterated !== false) {
+			// depending on system config iconv can work or not
+			$name = $transliterated;
+		}
 
 		// Replacements
 		$name = str_replace(' ', '_', $name);
@@ -1311,6 +1329,10 @@ class Access extends LDAPUtility implements IUserTools {
 		// Every remaining disallowed characters will be removed
 		$name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name);
 
+		if($name === '') {
+			throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters');
+		}
+
 		return $name;
 	}
 
diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php
index cbb695d779a..336b92af04f 100644
--- a/apps/user_ldap/tests/AccessTest.php
+++ b/apps/user_ldap/tests/AccessTest.php
@@ -632,5 +632,36 @@ class AccessTest extends TestCase {
 		$this->assertSame($expected, $list);
 	}
 
+	public function intUsernameProvider() {
+		// system dependent :-/
+		$translitExpected = @iconv('UTF-8', 'ASCII//TRANSLIT', 'fränk') ? 'frank' : 'frnk';
+
+		return [
+			['alice', 'alice'],
+			['b/ob', 'bob'],
+			['charly🐬', 'charly'],
+			['debo rah', 'debo_rah'],
+			['epost@poste.test', 'epost@poste.test'],
+			['fränk', $translitExpected],
+			[' gerda ', 'gerda'],
+			['🕱🐵🐘🐑', null]
+		];
+	}
+
+	/**
+	 * @dataProvider intUsernameProvider
+	 *
+	 * @param $name
+	 * @param $expected
+	 */
+	public function testSanitizeUsername($name, $expected) {
+		if($expected === null) {
+			$this->expectException(\InvalidArgumentException::class);
+		}
+		$sanitizedName = $this->access->sanitizeUsername($name);
+		$this->assertSame($expected, $sanitizedName);
+	}
+
+
 
 }