Disallow email addresses which will overflow MySQL storage
7cf0358dda11
Actions

Authored by epriestley <git@epriestley.com> on Feb 23 2014, 19:19.

Description

Disallow email addresses which will overflow MySQL storage

Summary:
Via HackerOne. An attacker can bypass auth.email-domains by registering with an email like:

aaaaa...aaaaa@evil.com@company.com

We'll validate the full string, then insert it into the database where it will be truncated, removing the @company.com part. Then we'll send an email to @evil.com.

Instead, reject email addresses which won't fit in the table.

STRICT_ALL_TABLES stops this attack, I'm going to add a setup warning encouraging it.

Test Plan:

Set auth.email-domains to @company.com.
Registered with aaa...aaa@evil.com@company.com. Previously this worked, now it is rejected.
Did a valid registration.
Tried to add aaa...aaaa@evil.com@company.com as an email address. Previously this worked, now it is rejected.
Did a valid email add.
Added and executed unit tests.

Reviewers: btrahan, arice

Reviewed By: arice

CC: aran, chad

Differential Revision: https://secure.phabricator.com/D8308

Details

Committed

epriestley <git@epriestley.com>

Feb 23 2014, 19:19

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPHa4d4bf81961f: Add ObjectBox around Diffusion Binary Files

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH7cf0358dda11: Disallow email addresses which will overflow MySQL storage (authored by epriestley <git@epriestley.com>).Feb 23 2014, 19:19

Changes (7)

		Path
M		src/__phutil_library_map__.php
M		src/applications/auth/controller/PhabricatorAuthRegisterController.php
M		src/applications/people/editor/PhabricatorUserEditor.php
A	(dir)	src/applications/people/editor/__tests__/
A		src/applications/people/editor/__tests__/PhabricatorUserEditorTestCase.php
M		src/applications/people/storage/PhabricatorUserEmail.php
M		src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php