aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorByron Jones ‹:glob› <glob@mozilla.com>2015-09-10 13:30:04 -0400
committerDavid Lawrence <dkl@mozilla.com>2015-09-10 13:30:04 -0400
commit69386c52ff846c11867783244f3c9c9109f5e1e7 (patch)
treeb97106e52b18ae6eeab2f328f940c0b9e88dbe90 /Bugzilla/Util.pm
parentBug 1191924: Release notes for Bugzilla 5.0.1 (diff)
downloadbugzilla-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.gz
bugzilla-69386c52ff846c11867783244f3c9c9109f5e1e7.tar.bz2
bugzilla-69386c52ff846c11867783244f3c9c9109f5e1e7.zip
Bug 1202447: [SECURITY] The email address is not properly validated during registration if longer than 127 characters
r=LpSolit,a=justdave
Diffstat (limited to 'Bugzilla/Util.pm')
-rw-r--r--Bugzilla/Util.pm12
1 files changed, 9 insertions, 3 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 670f5f8f2..037b38648 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -676,12 +676,18 @@ sub validate_email_syntax {
# RFC 2822 section 2.1 specifies that email addresses must
# be made of US-ASCII characters only.
# Email::Address::addr_spec doesn't enforce this.
- my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/);
- if ($ret) {
+ # We set the max length to 127 to ensure addresses aren't truncated when
+ # inserted into the tokens.eventdata field.
+ if ($addr =~ /$match/
+ && $email !~ /\P{ASCII}/
+ && $email =~ /^$addr_spec$/
+ && length($email) <= 127)
+ {
# We assume these checks to suffice to consider the address untainted.
trick_taint($_[0]);
+ return 1;
}
- return $ret ? 1 : 0;
+ return 0;
}
sub check_email_syntax {