From dc68d66945f5ce64433d7c260805ee9aaecd65f4 Mon Sep 17 00:00:00 2001 From: "Cleopatra Enjeck M." Date: Mon, 24 Feb 2025 06:17:00 +0000 Subject: [PATCH 1/3] fix: Use case insensitive check when validating login name Signed-off-by: Cleopatra Enjeck M. --- lib/private/User/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 64e8f6dfdc8..3334147bb22 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -779,7 +779,7 @@ class Session implements IUserSession, Emitter { * Check if login names match */ private function validateTokenLoginName(?string $loginName, IToken $token): bool { - if ($token->getLoginName() !== $loginName) { + if (strtolower($token->getLoginName() ?? '') !== strtolower($loginName ?? '')) { // TODO: this makes it impossible to use different login names on browser and client // e.g. login by e-mail 'user@example.com' on browser for generating the token will not // allow to use the client token with the login name 'user'. From 9dbf067f3116e410564ac064acbd9c0efc50dbb1 Mon Sep 17 00:00:00 2001 From: "Cleopatra Enjeck M." Date: Tue, 25 Feb 2025 06:36:53 +0000 Subject: [PATCH 2/3] fix: Improve string comparison Signed-off-by: Cleopatra Enjeck M. --- lib/private/User/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 3334147bb22..7c43dca41ae 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -779,7 +779,7 @@ class Session implements IUserSession, Emitter { * Check if login names match */ private function validateTokenLoginName(?string $loginName, IToken $token): bool { - if (strtolower($token->getLoginName() ?? '') !== strtolower($loginName ?? '')) { + if (strcasecmp($token->getLoginName(), $loginName ?? '') !== 0) { // TODO: this makes it impossible to use different login names on browser and client // e.g. login by e-mail 'user@example.com' on browser for generating the token will not // allow to use the client token with the login name 'user'. From 22fa59b378be326ea3aa286cc52021b92d92c287 Mon Sep 17 00:00:00 2001 From: "Cleopatra Enjeck M." Date: Mon, 3 Mar 2025 04:18:59 +0000 Subject: [PATCH 3/3] fix: use mb_strtolower to convert login name Signed-off-by: Cleopatra Enjeck M. --- lib/private/User/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 7c43dca41ae..fc6b84fe908 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -779,7 +779,7 @@ class Session implements IUserSession, Emitter { * Check if login names match */ private function validateTokenLoginName(?string $loginName, IToken $token): bool { - if (strcasecmp($token->getLoginName(), $loginName ?? '') !== 0) { + if (mb_strtolower($token->getLoginName()) !== mb_strtolower($loginName ?? '')) { // TODO: this makes it impossible to use different login names on browser and client // e.g. login by e-mail 'user@example.com' on browser for generating the token will not // allow to use the client token with the login name 'user'.