1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 18:32:41 +01:00
phorge-phorge/src/applications/auth/controller
epriestley 7cf0358dda Disallow email addresses which will overflow MySQL storage
Summary:
Via HackerOne. An attacker can bypass `auth.email-domains` by registering with an email like:

  aaaaa...aaaaa@evil.com@company.com

We'll validate the full string, then insert it into the database where it will be truncated, removing the `@company.com` part. Then we'll send an email to `@evil.com`.

Instead, reject email addresses which won't fit in the table.

`STRICT_ALL_TABLES` stops this attack, I'm going to add a setup warning encouraging it.

Test Plan:
  - Set `auth.email-domains` to `@company.com`.
  - Registered with `aaa...aaa@evil.com@company.com`. Previously this worked, now it is rejected.
  - Did a valid registration.
  - Tried to add `aaa...aaaa@evil.com@company.com` as an email address. Previously this worked, now it is rejected.
  - Did a valid email add.
  - Added and executed unit tests.

Reviewers: btrahan, arice

Reviewed By: arice

CC: aran, chad

Differential Revision: https://secure.phabricator.com/D8308
2014-02-23 10:19:35 -08:00
..
config Make password hashing modular 2014-02-18 14:09:36 -08:00
PhabricatorAuthConfirmLinkController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorAuthController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthLinkController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthLoginController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthNeedsApprovalController.php Slightly improve behavior for unverified + unapproved users 2013-11-21 12:58:58 -08:00
PhabricatorAuthOldOAuthRedirectController.php Make old GitHub OAuth URIs work for now 2013-06-21 06:11:57 -07:00
PhabricatorAuthRegisterController.php Disallow email addresses which will overflow MySQL storage 2014-02-23 10:19:35 -08:00
PhabricatorAuthStartController.php After writing "next_uri", don't write it again for a while 2014-01-23 14:16:08 -08:00
PhabricatorAuthUnlinkController.php Move all account link / unlink to new registration flow 2013-06-17 06:12:45 -07:00
PhabricatorAuthValidateController.php After writing "next_uri", don't write it again for a while 2014-01-23 14:16:08 -08:00
PhabricatorDisabledUserController.php Restore merge of phutil_tag. 2013-02-13 14:51:18 -08:00
PhabricatorEmailLoginController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorEmailTokenController.php Fix some security issues with email password resets 2014-01-27 16:53:04 -08:00
PhabricatorEmailVerificationController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorLogoutController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorMustVerifyEmailController.php Recover more flexibly from an already-verified email 2013-11-21 14:41:32 -08:00
PhabricatorRefreshCSRFController.php Delete license headers from files 2012-11-05 11:16:51 -08:00