Merge pull request #37268 from owncloud/disallow-special-uids

Do not allow various special usernames (UIDs)
owncloud · May 5, 2020 · d4f5036 · d4f5036
2 parents 67635ed + 4aa37a8
commit d4f5036
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/changelog/unreleased/32547 b/changelog/unreleased/32547
@@ -0,0 +1,8 @@
+Change: Disallow various special usernames
+
+Special names "avatars", "files_encryption", "files_external" and "meta" are
+used for other purposes in ownCloud and are not valid usernames (UIDs).
+Creating a user with any of these names is now disallowed.
+
+https://github.com/owncloud/core/issues/32547
+https://github.com/owncloud/core/pull/37268
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php
@@ -366,6 +366,17 @@ public function createUser($uid, $password) {
 				throw new \Exception($l->t('The username can not be longer than 64 characters'));
 			}
 
+			$invalidUids = [
+				'avatars',
+				'meta',
+				'files_external',
+				'files_encryption'
+			];
+
+			if (\in_array(\strtolower($uid), $invalidUids)) {
+				throw new \Exception($l->t("The special username $uid is not allowed"));
+			}
+
 			// No empty password
 			if (\trim($password) == '') {
 				throw new \Exception($l->t('A valid password must be provided'));

diff --git a/tests/acceptance/features/webUIAddUsers/addUsers.feature b/tests/acceptance/features/webUIAddUsers/addUsers.feature
@@ -39,6 +39,7 @@ Feature: add users
       | a)~  | "%alt2%"    | Error creating user: Only the following characters are allowed in a username: "a-z", "A-Z", "0-9", and "+_.@-'" |
       | a(=  | "%alt3%"    | Error creating user: Only the following characters are allowed in a username: "a-z", "A-Z", "0-9", and "+_.@-'" |
       | a`*^ | "%alt4%"    | Error creating user: Only the following characters are allowed in a username: "a-z", "A-Z", "0-9", and "+_.@-'" |
+      | meta | "%alt4%"    | Error creating user: The special username meta is not allowed                                                   |
 
   Scenario: use the webUI to create a user with empty password
     When the administrator attempts to create a user with the name "bijay" and the password "" using the webUI

diff --git a/tests/lib/User/ManagerTest.php b/tests/lib/User/ManagerTest.php
@@ -381,6 +381,26 @@ public function testUsernameHasInvalidChars($uid) {
 		$this->manager->createUser($uid, 'testuser');
 	}
 
+	public function usernameIsSpecialInvalidValueDataProvider() {
+		return [
+			['avatars'],
+			['meta'],
+			['files_external'],
+			['files_encryption'],
+		];
+	}
+
+	/**
+	 * @dataProvider usernameIsSpecialInvalidValueDataProvider
+	 * @param $uid string
+	 */
+	public function testUsernameIsSpecialInvalidValue($uid) {
+		$this->expectException(\Exception::class);
+		$this->expectExceptionMessage("The special username $uid is not allowed");
+		$this->manager = \OC::$server->getUserManager();
+		$this->manager->createUser($uid, 'testuser');
+	}
+
 	public function testPasswordIsNotJustWhiteSpace() {
 		$this->expectException(\Exception::class);
 		$this->expectExceptionMessage('A valid password must be provided');