HomePhabricator

Disallow email addresses which will overflow MySQL storage

Description

Disallow email addresses which will overflow MySQL storage

Summary:
Via HackerOne. An attacker can bypass auth.email-domains by registering with an email like:

aaaaa...aaaaa@evil.com@company.com

We'll validate the full string, then insert it into the database where it will be truncated, removing the @company.com part. Then we'll send an email to @evil.com.

Instead, reject email addresses which won't fit in the table.

STRICT_ALL_TABLES stops this attack, I'm going to add a setup warning encouraging it.

Test Plan:

  • Set auth.email-domains to @company.com.
  • Registered with aaa...aaa@evil.com@company.com. Previously this worked, now it is rejected.
  • Did a valid registration.
  • Tried to add aaa...aaaa@evil.com@company.com as an email address. Previously this worked, now it is rejected.
  • Did a valid email add.
  • Added and executed unit tests.

Reviewers: btrahan, arice

Reviewed By: arice

CC: aran, chad

Differential Revision: https://secure.phabricator.com/D8308

Details

Provenance
epriestleyAuthored on
epriestleyPushed on Feb 23 2014, 6:19 PM
Reviewer
arice
Differential Revision
D8308: Disallow email addresses which will overflow MySQL storage
Parents
rPa4d4bf81961f: Add ObjectBox around Diffusion Binary Files
Branches
Unknown
Tags
Unknown

Event Timeline