Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent user with empty uid #1616

Merged
merged 2 commits into from
Oct 6, 2016
Merged

Prevent user with empty uid #1616

merged 2 commits into from
Oct 6, 2016

Conversation

blizzz
Copy link
Member

@blizzz blizzz commented Oct 4, 2016

Downstream of owncloud/user_ldap#6

@nextcloud/ldap @LukasReschke @nickvergessen

@butonic @blizzz
Prevent user with empty uid
0ae9a2c 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz added this to the Nextcloud 11.0 milestone Oct 4, 2016
@mention-bot
Copy link

@blizzz, thanks for your PR! By analyzing the history of the files in this pull request, we identified @DeepDiver1975, @nickvergessen and @owncloud-bot to be potential reviewers.

@nickvergessen
Copy link
Member

👍

LukasReschke
LukasReschke reviewed Oct 4, 2016
View reviewed changes
apps/user_ldap/lib/User/User.php
@@ -111,6 +112,12 @@ public function __construct($username, $dn, IUserTools $access,
IConfig $config, FilesystemHelper $fs, Image $image,
LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager) {

if ($username === null) {
throw new \InvalidArgumentException("uid for '$dn' must not be null!");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had enough of problems with user controllable input in the past. Is that user controllable in any way? Or sensitive?

If so we should just log the detailled error message and have an exception that doesn't include the user input.

cc @nickvergessen

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Display name should be user controlled, but since you can not login anymore, you would need to set the malicious displayname via a secondary system.
Then again, only an admin could ever create an empty user...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one here comes in via LDAP. If somehow the attribute you as admin chose returns an empty string (or something that fails to transliterate i assume, the original PR was not referring to anything) it could end up here with an empty username.

Tbh, I did not dig into the details, but seems like an OK check.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blizzz I guess this is about escaping or not showing "$dn" to the user via an error page ;)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blizzz Could you fix the stuff @LukasReschke requested? Thanks :)

@nickvergessen nickvergessen added the 3. to review Waiting for reviews label Oct 5, 2016
@MorrisJobke MorrisJobke added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Oct 5, 2016
@nickvergessen
Log the error with display name
82c29e1 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Oct 6, 2016
@nickvergessen
Copy link
Member

Updated, review time @MorrisJobke @LukasReschke

@MorrisJobke
Copy link
Member

Tested and setup of LDAP and loging in still works 👍

@MorrisJobke MorrisJobke added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Oct 6, 2016
@codecov-io
Copy link

Current coverage is 30.82% (diff: 0.00%)

Merging #1616 into master will increase coverage by 0.20%

@@             master      #1616   diff @@
==========================================
  Files          1081       1087      +6   
  Lines         60017      61115   +1098   
  Methods        6808       7030    +222   
  Messages          0          0           
  Branches          0          0           
==========================================
+ Hits          18377      18840    +463   
- Misses        41640      42275    +635   
  Partials          0          0

Sunburst

Diff Coverage File Path
0% apps/user_ldap/lib/User/User.php

Powered by Codecov. Last update 3a0e061...82c29e1

@MorrisJobke MorrisJobke merged commit 55e72ca into master Oct 6, 2016
@MorrisJobke MorrisJobke deleted the downstream_ldap_6 branch October 6, 2016 12:43
@snyk-bot snyk-bot mentioned this pull request Jul 18, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen left review comments

@LukasReschke LukasReschke LukasReschke left review comments

@MorrisJobke MorrisJobke MorrisJobke approved these changes

Assignees
No one assigned
Labels
4. to release Ready to be released and/or waiting for tests to finish bug feature: ldap
Projects
None yet
Milestone
Nextcloud 11.0
Development

Successfully merging this pull request may close these issues.
7 participants
@blizzz @mention-bot @nickvergessen @MorrisJobke @codecov-io @LukasReschke @butonic