summary refs log tree commit diff
diff options
context:
space:
mode:
authorReidAnderson <rbarryanderson@gmail.com>2019-05-20 05:20:08 -0500
committerRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2019-05-20 11:20:08 +0100
commit3787133c9e3fcf0e9b85700418bf03c48ec86ab3 (patch)
tree5142e89481b5cb89354337cb2f70e0ad7a72842f
parentfix mapping of return values for get_or_register_3pid_guest (#5177) (diff)
downloadsynapse-3787133c9e3fcf0e9b85700418bf03c48ec86ab3.tar.xz
Limit UserIds to a length that fits in a state key (#5198)
-rw-r--r--changelog.d/5198.bugfix1
-rw-r--r--synapse/api/constants.py3
-rw-r--r--synapse/handlers/register.py11
-rw-r--r--tests/handlers/test_register.py7
4 files changed, 21 insertions, 1 deletions
diff --git a/changelog.d/5198.bugfix b/changelog.d/5198.bugfix
new file mode 100644
index 0000000000..c6b156f17d
--- /dev/null
+++ b/changelog.d/5198.bugfix
@@ -0,0 +1 @@
+Prevent registration for user ids that are to long to fit into a state key. Contributed by Reid Anderson.
\ No newline at end of file
diff --git a/synapse/api/constants.py b/synapse/api/constants.py
index 8547a63535..c7bf95b426 100644
--- a/synapse/api/constants.py
+++ b/synapse/api/constants.py
@@ -23,6 +23,9 @@ MAX_DEPTH = 2**63 - 1
 # the maximum length for a room alias is 255 characters
 MAX_ALIAS_LENGTH = 255
 
+# the maximum length for a user id is 255 characters
+MAX_USERID_LENGTH = 255
+
 
 class Membership(object):
 
diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index a51d11a257..e83ee24f10 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -19,7 +19,7 @@ import logging
 from twisted.internet import defer
 
 from synapse import types
-from synapse.api.constants import LoginType
+from synapse.api.constants import MAX_USERID_LENGTH, LoginType
 from synapse.api.errors import (
     AuthError,
     Codes,
@@ -123,6 +123,15 @@ class RegistrationHandler(BaseHandler):
 
         self.check_user_id_not_appservice_exclusive(user_id)
 
+        if len(user_id) > MAX_USERID_LENGTH:
+            raise SynapseError(
+                400,
+                "User ID may not be longer than %s characters" % (
+                    MAX_USERID_LENGTH,
+                ),
+                Codes.INVALID_USERNAME
+            )
+
         users = yield self.store.get_users_by_id_case_insensitive(user_id)
         if users:
             if not guest_access_token:
diff --git a/tests/handlers/test_register.py b/tests/handlers/test_register.py
index 1c253d0579..5ffba2ca7a 100644
--- a/tests/handlers/test_register.py
+++ b/tests/handlers/test_register.py
@@ -228,3 +228,10 @@ class RegistrationTestCase(unittest.HomeserverTestCase):
     def test_register_not_support_user(self):
         res = self.get_success(self.handler.register(localpart='user'))
         self.assertFalse(self.store.is_support_user(res[0]))
+
+    def test_invalid_user_id_length(self):
+        invalid_user_id = "x" * 256
+        self.get_failure(
+            self.handler.register(localpart=invalid_user_id),
+            SynapseError
+        )