diff options
author | Richard van der Hoff <richard@matrix.org> | 2019-06-01 10:42:33 +0100 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2019-06-01 10:44:36 +0100 |
commit | d16c6375fe39deaafd70b151e496f5e15fd7b29c (patch) | |
tree | 8450be747932a05c53b389ad5c9420fb3e6672e6 | |
parent | update changelog (diff) | |
download | synapse-d16c6375fe39deaafd70b151e496f5e15fd7b29c.tar.xz |
Limit displaynames and avatar URLs
These end up in join events everywhere, so let's limit them. Fixes #5079
Diffstat (limited to '')
-rw-r--r-- | changelog.d/5309.bugfix | 1 | ||||
-rw-r--r-- | synapse/handlers/profile.py | 13 | ||||
-rw-r--r-- | synapse/handlers/register.py | 2 |
3 files changed, 16 insertions, 0 deletions
diff --git a/changelog.d/5309.bugfix b/changelog.d/5309.bugfix new file mode 100644 index 0000000000..97b3527266 --- /dev/null +++ b/changelog.d/5309.bugfix @@ -0,0 +1 @@ +Prevent users from setting huge displaynames and avatar URLs. diff --git a/synapse/handlers/profile.py b/synapse/handlers/profile.py index 91fc718ff8..a5fc6c5dbf 100644 --- a/synapse/handlers/profile.py +++ b/synapse/handlers/profile.py @@ -31,6 +31,9 @@ from ._base import BaseHandler logger = logging.getLogger(__name__) +MAX_DISPLAYNAME_LEN = 100 +MAX_AVATAR_URL_LEN = 1000 + class BaseProfileHandler(BaseHandler): """Handles fetching and updating user profile information. @@ -162,6 +165,11 @@ class BaseProfileHandler(BaseHandler): if not by_admin and target_user != requester.user: raise AuthError(400, "Cannot set another user's displayname") + if len(new_displayname) > MAX_DISPLAYNAME_LEN: + raise SynapseError( + 400, "Displayname is too long (max %i)" % (MAX_DISPLAYNAME_LEN, ), + ) + if new_displayname == '': new_displayname = None @@ -217,6 +225,11 @@ class BaseProfileHandler(BaseHandler): if not by_admin and target_user != requester.user: raise AuthError(400, "Cannot set another user's avatar_url") + if len(new_avatar_url) > MAX_AVATAR_URL_LEN: + raise SynapseError( + 400, "Avatar URL is too long (max %i)" % (MAX_AVATAR_URL_LEN, ), + ) + yield self.store.set_profile_avatar_url( target_user.localpart, new_avatar_url ) diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py index e83ee24f10..9a388ea013 100644 --- a/synapse/handlers/register.py +++ b/synapse/handlers/register.py @@ -531,6 +531,8 @@ class RegistrationHandler(BaseHandler): A tuple of (user_id, access_token). Raises: RegistrationError if there was a problem registering. + + NB this is only used in tests. TODO: move it to the test package! """ if localpart is None: raise SynapseError(400, "Request must include user id") |