From 2a897a8a6be7a67d8862c1b32b46c296c508f318 Mon Sep 17 00:00:00 2001 From: Kane York Date: Mon, 13 Jul 2015 13:40:52 -0700 Subject: [PATCH] SECURITY: Remove email validation check bypass - Increase size of email column to varchar(513) - Give error message on signup when email is too large Overall impact: Low, allows signups from blocked domains. Main risk is increased spam. --- app/controllers/users_controller.rb | 4 ++++ config/locales/server.en.yml | 1 + db/migrate/20150713203955_enlarge_users_email_field.rb | 8 ++++++++ 3 files changed, 13 insertions(+) create mode 100644 db/migrate/20150713203955_enlarge_users_email_field.rb diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 8bb3c44dc0c..9183fb79156 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -232,6 +232,10 @@ class UsersController < ApplicationController return fail_with("login.password_too_long") end + if params[:email] && params[:email].length > 254 + 1 + 253 + return fail_with("login.email_too_long") + end + if SiteSetting.reserved_usernames.split("|").include? params[:username].downcase return fail_with("login.reserved_username") end diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 0218a9126c3..60dafee22a3 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1302,6 +1302,7 @@ en: omniauth_error_unknown: "Something went wrong processing your log in, please try again." new_registrations_disabled: "New account registrations are not allowed at this time." password_too_long: "Passwords are limited to 200 characters." + email_too_long: "The email you provided is too long. Mailbox names must be no more than 254 characters, and domain names must be no more than 253 characters." reserved_username: "That username is not allowed." missing_user_field: "You have not completed all the user fields" close_window: "Authentication is complete. Close this window to continue." diff --git a/db/migrate/20150713203955_enlarge_users_email_field.rb b/db/migrate/20150713203955_enlarge_users_email_field.rb new file mode 100644 index 00000000000..15856c0f04c --- /dev/null +++ b/db/migrate/20150713203955_enlarge_users_email_field.rb @@ -0,0 +1,8 @@ +class EnlargeUsersEmailField < ActiveRecord::Migration + def up + change_column :users, :email, :string, :limit => 513 + end + def down + change_column :users, :email, :string, :limit => 128 + end +end