diff options
| author | Azrenbeth <77782548+Azrenbeth@users.noreply.github.com> | 2021-08-23 16:25:33 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-23 11:25:33 -0400 |
| commit | 0c1d6f65d7c65efd8491adf4efc2620148e2841a (patch) | |
| tree | c777df08af275d1723ea89ffb23324d1572ed86e | |
| parent | Fix the titles in the OIDC documentation (#10639) (diff) | |
| download | synapse-0c1d6f65d7c65efd8491adf4efc2620148e2841a.tar.xz | |
Enforce the max length for per-room display names / avatar URLs. (#10654)
To match the maximum lengths allowed for profile data.
| -rw-r--r-- | changelog.d/10654.bugfix | 1 | ||||
| -rw-r--r-- | synapse/handlers/room_member.py | 17 |
2 files changed, 17 insertions, 1 deletions
diff --git a/changelog.d/10654.bugfix b/changelog.d/10654.bugfix new file mode 100644 index 0000000000..b0bd78453f --- /dev/null +++ b/changelog.d/10654.bugfix @@ -0,0 +1 @@ +Enforce the maximum length for per-room display names and avatar URLs. \ No newline at end of file diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py index ba13196218..401b84aad1 100644 --- a/synapse/handlers/room_member.py +++ b/synapse/handlers/room_member.py @@ -36,6 +36,7 @@ from synapse.api.ratelimiting import Ratelimiter from synapse.event_auth import get_named_level, get_power_level_event from synapse.events import EventBase from synapse.events.snapshot import EventContext +from synapse.handlers.profile import MAX_AVATAR_URL_LEN, MAX_DISPLAYNAME_LEN from synapse.types import ( JsonDict, Requester, @@ -79,7 +80,7 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): self.account_data_handler = hs.get_account_data_handler() self.event_auth_handler = hs.get_event_auth_handler() - self.member_linearizer = Linearizer(name="member") + self.member_linearizer: Linearizer = Linearizer(name="member") self.clock = hs.get_clock() self.spam_checker = hs.get_spam_checker() @@ -556,6 +557,20 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): content.pop("displayname", None) content.pop("avatar_url", None) + if len(content.get("displayname") or "") > MAX_DISPLAYNAME_LEN: + raise SynapseError( + 400, + f"Displayname is too long (max {MAX_DISPLAYNAME_LEN})", + errcode=Codes.BAD_JSON, + ) + + if len(content.get("avatar_url") or "") > MAX_AVATAR_URL_LEN: + raise SynapseError( + 400, + f"Avatar URL is too long (max {MAX_AVATAR_URL_LEN})", + errcode=Codes.BAD_JSON, + ) + effective_membership_state = action if action in ["kick", "unban"]: effective_membership_state = "leave" |