From 50ab6596bb3e2adec545eaa2671e89f1cb422b0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Wed, 15 Sep 2021 18:00:17 +0200 Subject: [PATCH] use proper url path decode on the username MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- changelog/unreleased/fix-username-encoding.md | 5 +++++ ocs/pkg/middleware/requireselforadmin.go | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 changelog/unreleased/fix-username-encoding.md diff --git a/changelog/unreleased/fix-username-encoding.md b/changelog/unreleased/fix-username-encoding.md new file mode 100644 index 0000000000..4bda843276 --- /dev/null +++ b/changelog/unreleased/fix-username-encoding.md @@ -0,0 +1,5 @@ +Bugfix: use proper url path decode on the username + +We now properly decode the username when reading it from a url parameter + +https://github.com/owncloud/ocis/pull/2511 diff --git a/ocs/pkg/middleware/requireselforadmin.go b/ocs/pkg/middleware/requireselforadmin.go index 74d2f29a36..16b19a78cd 100644 --- a/ocs/pkg/middleware/requireselforadmin.go +++ b/ocs/pkg/middleware/requireselforadmin.go @@ -2,6 +2,7 @@ package middleware import ( "net/http" + "net/url" revactx "github.com/cs3org/reva/pkg/ctx" "github.com/go-chi/chi/v5" @@ -44,6 +45,11 @@ func RequireSelfOrAdmin(opts ...Option) func(next http.Handler) http.Handler { // check if self management permission is present in roles of the authenticated account if opt.RoleManager.FindPermissionByID(r.Context(), roleIDs, accounts.SelfManagementPermissionID) != nil { userid := chi.URLParam(r, "userid") + var err error + if userid, err = url.PathUnescape(userid); err != nil { + mustNotFail(render.Render(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "malformed username"))) + } + if userid == "" || userid == u.Id.OpaqueId || userid == u.Username { next.ServeHTTP(w, r) return