revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-28 01:32:42 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/settings
History
epriestley 7cf0358dda Disallow email addresses which will overflow MySQL storage 
Summary:
Via HackerOne. An attacker can bypass `auth.email-domains` by registering with an email like:

  aaaaa...aaaaa@evil.com@company.com

We'll validate the full string, then insert it into the database where it will be truncated, removing the `@company.com` part. Then we'll send an email to `@evil.com`.

Instead, reject email addresses which won't fit in the table.

`STRICT_ALL_TABLES` stops this attack, I'm going to add a setup warning encouraging it.

Test Plan:
  - Set `auth.email-domains` to `@company.com`.
  - Registered with `aaa...aaa@evil.com@company.com`. Previously this worked, now it is rejected.
  - Did a valid registration.
  - Tried to add `aaa...aaaa@evil.com@company.com` as an email address. Previously this worked, now it is rejected.
  - Did a valid email add.
  - Added and executed unit tests.

Reviewers: btrahan, arice

Reviewed By: arice

CC: aran, chad

Differential Revision: https://secure.phabricator.com/D8308
2014-02-23 10:19:35 -08:00
..
application Miniturize the nav buttons 2014-01-31 09:10:32 -08:00
controller Remove dust from page construction 2013-08-19 18:09:35 -07:00
panel Disallow email addresses which will overflow MySQL storage 2014-02-23 10:19:35 -08:00
storage Split Diffusion "view" preference into blame and color preferences 2013-09-19 16:01:58 -07:00