diff options
author | Byron Jones ‹:glob› <glob@mozilla.com> | 2015-09-10 13:30:04 -0400 |
---|---|---|
committer | David Lawrence <dkl@mozilla.com> | 2015-09-10 13:30:04 -0400 |
commit | 69386c52ff846c11867783244f3c9c9109f5e1e7 (patch) | |
tree | b97106e52b18ae6eeab2f328f940c0b9e88dbe90 /Bugzilla/Util.pm | |
parent | Bug 1191924: Release notes for Bugzilla 5.0.1 (diff) | |
download | bugzilla-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.gz bugzilla-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.bz2 bugzilla-69386c52ff846c11867783244f3c9c9109f5e1e7.zip |
Bug 1202447: [SECURITY] The email address is not properly validated during registration if longer than 127 characters
r=LpSolit,a=justdave
Diffstat (limited to 'Bugzilla/Util.pm')
-rw-r--r-- | Bugzilla/Util.pm | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 670f5f8f2..037b38648 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -676,12 +676,18 @@ sub validate_email_syntax { # RFC 2822 section 2.1 specifies that email addresses must # be made of US-ASCII characters only. # Email::Address::addr_spec doesn't enforce this. - my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/); - if ($ret) { + # We set the max length to 127 to ensure addresses aren't truncated when + # inserted into the tokens.eventdata field. + if ($addr =~ /$match/ + && $email !~ /\P{ASCII}/ + && $email =~ /^$addr_spec$/ + && length($email) <= 127) + { # We assume these checks to suffice to consider the address untainted. trick_taint($_[0]); + return 1; } - return $ret ? 1 : 0; + return 0; } sub check_email_syntax { |