From 9ef8420d911fcab285086e4ac2faebe61b4f58af Mon Sep 17 00:00:00 2001
From: Carl Schwan <carlschwan@kde.org>
Date: Mon, 4 May 2026 10:42:43 +0200
Subject: [PATCH] fix: Add comments that homepath is trusted

Avoid bullshit security reports

Signed-off-by: Carl Schwan <carlschwan@kde.org>
---
 lib/UserBackend.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/UserBackend.php b/lib/UserBackend.php
index baa1ef5e7..38324bb71 100644
--- a/lib/UserBackend.php
+++ b/lib/UserBackend.php
@@ -92,16 +92,22 @@ public function createUserIfNotExists(string $uid, array $attributes = []): void
 			}
 
 			if ($home !== '') {
-				//if attribute's value is an absolute path take this, otherwise append it to data dir
-				//check for / at the beginning or pattern c:\ resp. c:/
+				$dataDir = $this->config->getSystemValueString('datadirectory', $this->serverRoot . '/data');
+
+				// note: Path traversal is allowed because we trust the idp and it allows to do partitioning
+				// of the storage.
+				//
+				// If attribute's value is an absolute path take this, otherwise append it to data dir
+				// check for / at the beginning or pattern c:\ resp. c:/
 				if ($home[0] !== '/'
 				   && !(strlen($home) > 3 && ctype_alpha($home[0])
 					   && $home[1] === ':' && ($home[2] === '\\' || $home[2] === '/'))
 				) {
-					$home = $this->config->getSystemValueString('datadirectory',
-						$this->serverRoot . '/data') . '/' . $home;
+					$home = $dataDir . '/' . $home;
 				}
+			}
 
+			if ($home !== '') {
 				$values['home'] = $home;
 			}