From 9d8099f5f264b534c47eeac25d5f923067c92469 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Wed, 13 Mar 2019 09:45:25 +0100
Subject: [PATCH] Do not allow invalid users to be created

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/User/Manager.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php
index 3d8cc34b85947..2aa1ff607416e 100644
--- a/lib/private/User/Manager.php
+++ b/lib/private/User/Manager.php
@@ -280,6 +280,10 @@ public function searchDisplayName($pattern, $limit = null, $offset = null) {
 	 * @return bool|IUser the created user or false
 	 */
 	public function createUser($uid, $password) {
+		if (!$this->verifyUid($uid)) {
+			return false;
+		}
+
 		$localBackends = [];
 		foreach ($this->backends as $backend) {
 			if ($backend instanceof Database) {
@@ -599,4 +603,14 @@ public function getByEmail($email) {
 			return ($u instanceof IUser);
 		}));
 	}
+
+	private function verifyUid(string $uid): bool {
+		$appdata = 'appdata_' . $this->config->getSystemValue('instanceid');
+
+		if ($uid === '.htaccess' || $uid === 'files_external' || $uid === '.ocdata' || $uid === 'owncloud.log' || $uid === 'nextcloud.log' || $uid === $appdata) {
+			return false;
+		}
+
+		return true;
+	}
 }