From 51e20dd6c56e8f9221f9019f83a2abe61a90c4f6 Mon Sep 17 00:00:00 2001
From: Christopher Ng <chrng8@gmail.com>
Date: Tue, 28 Jun 2022 18:03:15 +0000
Subject: [PATCH 1/3] Do not save invalid display name to the database

Signed-off-by: Christopher Ng <chrng8@gmail.com>
---
 apps/provisioning_api/lib/Controller/UsersController.php | 4 +++-
 lib/private/User/Database.php                            | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php
index a26479ba0a8f2..839ac404c947b 100644
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@@ -837,7 +837,9 @@ public function editUser(string $userId, string $key, string $value): DataRespon
 		switch ($key) {
 			case self::USER_FIELD_DISPLAYNAME:
 			case IAccountManager::PROPERTY_DISPLAYNAME:
-				$targetUser->setDisplayName($value);
+				if (!$targetUser->setDisplayName($value)) {
+					throw new OCSException('Invalid displayname', 102);
+				}
 				break;
 			case self::USER_FIELD_QUOTA:
 				$quota = $value;
diff --git a/lib/private/User/Database.php b/lib/private/User/Database.php
index a9464c2708567..1470409c862fa 100644
--- a/lib/private/User/Database.php
+++ b/lib/private/User/Database.php
@@ -215,6 +215,10 @@ public function setPassword(string $uid, string $password): bool {
 	 * Change the display name of a user
 	 */
 	public function setDisplayName(string $uid, string $displayName): bool {
+		if (mb_strlen($displayName) > 64) {
+			return false;
+		}
+
 		$this->fixDI();
 
 		if ($this->userExists($uid)) {

From 9bd1935d604c621fa1e74a8d23a1bb1c04186a9e Mon Sep 17 00:00:00 2001
From: Christopher Ng <chrng8@gmail.com>
Date: Tue, 28 Jun 2022 18:09:39 +0000
Subject: [PATCH 2/3] Prevent duplicate set display name request

Signed-off-by: Christopher Ng <chrng8@gmail.com>
---
 apps/settings/js/federationsettingsview.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/settings/js/federationsettingsview.js b/apps/settings/js/federationsettingsview.js
index 9eb0b93073311..e05cc9f20f4e8 100644
--- a/apps/settings/js/federationsettingsview.js
+++ b/apps/settings/js/federationsettingsview.js
@@ -128,7 +128,8 @@
 			_.each(this._inputFields, function(field) {
 				if (
 					field === 'avatar' ||
-					field === 'email'
+					field === 'email' ||
+					field === 'displayname'
 				) {
 					return;
 				}

From 6e628c2097c039e8d7c2c47bcc29eb4b862a6788 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Wed, 6 Jul 2022 14:27:18 +0200
Subject: [PATCH 3/3] Fix unit tests

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/provisioning_api/tests/Controller/UsersControllerTest.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/provisioning_api/tests/Controller/UsersControllerTest.php b/apps/provisioning_api/tests/Controller/UsersControllerTest.php
index 6162be54a041c..4449302fedda4 100644
--- a/apps/provisioning_api/tests/Controller/UsersControllerTest.php
+++ b/apps/provisioning_api/tests/Controller/UsersControllerTest.php
@@ -1486,7 +1486,8 @@ public function testEditUserRegularUserSelfEditChangeDisplayName() {
 		$targetUser
 			->expects($this->once())
 			->method('setDisplayName')
-			->with('NewDisplayName');
+			->with('NewDisplayName')
+			->willReturn(true);
 		$targetUser
 			->expects($this->any())
 			->method('getUID')