diff options
| author | Joas Schilling <coding@schilljs.com> | 2017-04-12 11:29:28 +0300 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2017-04-19 10:21:46 +0300 |
| commit | ce8aee4a4ee3afc41176f8eedb23b3bf79e3064b (patch) | |
| tree | ce16b019b8de768c4f147a6447000768fd511606 /lib/private | |
| parent | 867950a78b92f20487adfe4c222a22a6024539ea (diff) | |
Better validation of allowed user names
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/User/Manager.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php index 3d016700ee3..45400d621cb 100644 --- a/lib/private/User/Manager.php +++ b/lib/private/User/Manager.php @@ -278,9 +278,13 @@ class Manager extends PublicEmitter implements IUserManager { throw new \Exception($l->t('A valid username must be provided')); } // No whitespace at the beginning or at the end - if (strlen(trim($uid, "\t\n\r\0\x0B\xe2\x80\x8b")) !== strlen(trim($uid))) { + if (trim($uid) !== $uid) { throw new \Exception($l->t('Username contains whitespace at the beginning or at the end')); } + // Username only consists of 1 or 2 dots (directory traversal) + if ($uid === '.' || $uid === '..') { + throw new \Exception($l->t('Username must not consist of dots only')); + } // No empty password if (trim($password) == '') { throw new \Exception($l->t('A valid password must be provided')); |