Limit the length of app password names

Signed-off-by: Joas Schilling <coding@schilljs.com>
nextcloud · Mar 23, 2022 · a0c7798 · eastyu · May 7, 2022 · nickvergessen
1 parent 0fa17f8
commit a0c7798
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 0 deletions.
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -145,6 +145,10 @@ public function create($name) {
 			return $this->getServiceNotAvailableResponse();
 		}
 
+		if (mb_strlen($name) > 128) {
+			$name = mb_substr($name, 0, 120) . '…';
+		}
+
 		$token = $this->generateRandomDeviceToken();
 		$deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
 		$tokenData = $deviceToken->jsonSerialize();
@@ -241,6 +245,10 @@ public function update($id, array $scope, string $name) {
 			$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
 		}
 
+		if (mb_strlen($name) > 128) {
+			$name = mb_substr($name, 0, 120) . '…';
+		}
+
 		if ($token instanceof INamedToken && $name !== $currentName) {
 			$token->setName($name);
 			$this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]);

diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php
@@ -99,6 +99,9 @@ public function getAppPassword(): DataResponse {
 		}
 
 		$userAgent = $this->request->getHeader('USER_AGENT');
+		if (mb_strlen($userAgent) > 128) {
+			$userAgent = mb_substr($userAgent, 0, 120) . '…';
+		}
 
 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
 

diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
@@ -322,6 +322,10 @@ public function generateAppPassword($stateToken,
 			$clientName = $client->getName();
 		}
 
+		if (mb_strlen($clientName) > 128) {
+			$clientName = mb_substr($clientName, 0, 120) . '…';
+		}
+
 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
 		$uid = $this->userSession->getUser()->getUID();
 		$generatedToken = $this->tokenProvider->generateToken(

diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php
@@ -61,6 +61,10 @@ public function generateToken(string $token,
 								  string $name,
 								  int $type = IToken::TEMPORARY_TOKEN,
 								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
+		if (mb_strlen($name) > 128) {
+			throw new InvalidTokenException('The given name is too long');
+		}
+
 		try {
 			return $this->publicKeyTokenProvider->generateToken(
 				$token,

diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -84,6 +84,10 @@ public function generateToken(string $token,
 								  string $name,
 								  int $type = IToken::TEMPORARY_TOKEN,
 								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
+		if (mb_strlen($name) > 128) {
+			throw new InvalidTokenException('The given name is too long');
+		}
+
 		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
 		$this->mapper->insert($dbToken);