Page MenuHomePhabricator

Disallow email addresses which will overflow MySQL storage
ClosedPublic

Authored by epriestley on Feb 23 2014, 5:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 29, 11:06 PM
Unknown Object (File)
Mon, Dec 23, 10:41 AM
Unknown Object (File)
Mon, Dec 23, 10:41 AM
Unknown Object (File)
Mon, Dec 23, 10:28 AM
Unknown Object (File)
Fri, Dec 20, 11:08 AM
Unknown Object (File)
Fri, Dec 13, 3:40 PM
Unknown Object (File)
Wed, Dec 11, 3:27 PM
Unknown Object (File)
Mon, Dec 9, 4:53 AM
Subscribers

Details

Summary

Via HackerOne. An attacker can bypass auth.email-domains by registering with an email like:

aaaaa...aaaaa@evil.com@company.com

We'll validate the full string, then insert it into the database where it will be truncated, removing the @company.com part. Then we'll send an email to @evil.com.

Instead, reject email addresses which won't fit in the table.

STRICT_ALL_TABLES stops this attack, I'm going to add a setup warning encouraging it.

Test Plan
  • Set auth.email-domains to @company.com.
  • Registered with aaa...aaa@evil.com@company.com. Previously this worked, now it is rejected.
  • Did a valid registration.
  • Tried to add aaa...aaaa@evil.com@company.com as an email address. Previously this worked, now it is rejected.
  • Did a valid email add.
  • Added and executed unit tests.

Diff Detail

Repository
rP Phabricator
Branch
sec1
Lint
Lint Passed
Unit
Tests Passed

Event Timeline

Here's the new error on registration:

{F117037}

arice added inline comments.
src/applications/people/storage/PhabricatorUserEmail.php
35–41

Is it intentional that fully qualified addresses are not required? I'd assume so given that Phabricator might be running on an internal MTA capable of resolving partial addresses. If not, this probably introduced a good opportunity to add user-friendly validation for valid chars and the presence of a domain.

But that's not relevant to this issue.

It's intentional that we don't try to validate the format of the address, yeah. I did consider adding basic validation here (e.g., requiring it to contain @) but since this is a security issue I didn't want to conflate things by glomming it on here. I also suspect very few users would be helped by a warning like that, and it's plausible (if unlikely) that Phabricator might be configured for local delivery.

(An approach I've seen elsewhere is looking for gaiml.com, etc., and suggesting a correction to gmail.com -- which seems more likely to me to catch errors than checking for @ and . -- but as far as I'm aware users do not generally have difficulty entering their email address correctly. Most installs use some other identity provider as an authority anyway, and we just read the address out of that, so they'd have to be pathologically bad at forms to get it wrong.)

purirobin edited edge metadata.
epriestley edited edge metadata.