summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorByron Jones ‹:glob› <glob@mozilla.com>2015-09-10 19:36:24 +0200
committerDavid Lawrence <dkl@mozilla.com>2015-09-10 19:36:24 +0200
commit9d64d1549fbe7ab27eafad03bb9db2b10bd7a629 (patch)
tree0843c9e3d5f21a95847b9b75d2c720920f01aefd
parente32682d665acf25ed54c93e66f4ac6d61dae3514 (diff)
downloadbugzilla-9d64d1549fbe7ab27eafad03bb9db2b10bd7a629.tar.gz
bugzilla-9d64d1549fbe7ab27eafad03bb9db2b10bd7a629.tar.xz
Bug 1202447: [SECURITY] The email address is not properly validated during registration if longer than 127 characters
r=LpSolit,a=justdave
-rw-r--r--Bugzilla/Util.pm12
1 files changed, 9 insertions, 3 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index f0b38b0b0..ad008b768 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -669,12 +669,18 @@ sub validate_email_syntax {
# RFC 2822 section 2.1 specifies that email addresses must
# be made of US-ASCII characters only.
# Email::Address::addr_spec doesn't enforce this.
- my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/);
- if ($ret) {
+ # We set the max length to 127 to ensure addresses aren't truncated when
+ # inserted into the tokens.eventdata field.
+ if ($addr =~ /$match/
+ && $email !~ /\P{ASCII}/
+ && $email =~ /^$addr_spec$/
+ && length($email) <= 127)
+ {
# We assume these checks to suffice to consider the address untainted.
trick_taint($_[0]);
+ return 1;
}
- return $ret ? 1 : 0;
+ return 0;
}
sub check_email_syntax {