aboutsummaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorByron Jones ‹:glob› <glob@mozilla.com>2015-09-10 13:30:04 -0400
committerDavid Lawrence <dkl@mozilla.com>2015-09-10 13:30:04 -0400
commit69386c52ff846c11867783244f3c9c9109f5e1e7 (patch)
treeb97106e52b18ae6eeab2f328f940c0b9e88dbe90 /Bugzilla
parenteff343a6ecdacae2aeef1d3fe55fca9d929ecadf (diff)
downloadbugs-69386c52ff846c11867783244f3c9c9109f5e1e7.tar
bugs-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.gz
bugs-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.bz2
bugs-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.xz
bugs-69386c52ff846c11867783244f3c9c9109f5e1e7.zip
Bug 1202447: [SECURITY] The email address is not properly validated during registration if longer than 127 characters
r=LpSolit,a=justdave
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Util.pm12
1 files changed, 9 insertions, 3 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 670f5f8f2..037b38648 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -676,12 +676,18 @@ sub validate_email_syntax {
# RFC 2822 section 2.1 specifies that email addresses must
# be made of US-ASCII characters only.
# Email::Address::addr_spec doesn't enforce this.
- my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/);
- if ($ret) {
+ # We set the max length to 127 to ensure addresses aren't truncated when
+ # inserted into the tokens.eventdata field.
+ if ($addr =~ /$match/
+ && $email !~ /\P{ASCII}/
+ && $email =~ /^$addr_spec$/
+ && length($email) <= 127)
+ {
# We assume these checks to suffice to consider the address untainted.
trick_taint($_[0]);
+ return 1;
}
- return $ret ? 1 : 0;
+ return 0;
}
sub check_email_syntax {