From 203b9131ec895cafbb10e9c2aacd6b2c45e6b9f4 Mon Sep 17 00:00:00 2001 From: Josh Richards Date: Thu, 30 Mar 2023 11:59:13 -0400 Subject: [PATCH 1/2] Trim the user/email provided for password resets Signed-off-by: Josh Richards --- core/Controller/LostController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 044535c345b..36b8dca6ddb 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -208,7 +208,7 @@ class LostController extends Controller { // FIXME: use HTTP error codes try { - $this->sendEmail($user); + $this->sendEmail(trim($user)); } catch (ResetPasswordException $e) { // Ignore the error since we do not want to leak this info $this->logger->warning('Could not send password reset email: ' . $e->getMessage()); From 9899b1247803432f87224a01022bafca5366a1b1 Mon Sep 17 00:00:00 2001 From: Josh Richards Date: Tue, 4 Apr 2023 10:03:15 -0400 Subject: [PATCH 2/2] Trim user earlier Signed-off-by: Josh Richards --- core/Controller/LostController.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 36b8dca6ddb..51ab8d85a6e 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -200,6 +200,8 @@ class LostController extends Controller { return new JSONResponse($this->error($this->l10n->t('Password reset is disabled'))); } + $user = trim($user); + \OCP\Util::emitHook( '\OCA\Files_Sharing\API\Server2Server', 'preLoginNameUsedAsUserName', @@ -208,7 +210,7 @@ class LostController extends Controller { // FIXME: use HTTP error codes try { - $this->sendEmail(trim($user)); + $this->sendEmail($user); } catch (ResetPasswordException $e) { // Ignore the error since we do not want to leak this info $this->logger->warning('Could not send password reset email: ' . $e->getMessage());