diff options
| author | Richard van der Hoff <1389908+richvdh@users.noreply.github.com> | 2019-06-01 11:34:50 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-06-01 11:34:50 +0100 |
| commit | d828d1dc57eb8f9d23eee918af3f23180b9039cf (patch) | |
| tree | 1f768ea005cf9575a312a3f19db2e66601c6a7e1 /synapse/handlers/profile.py | |
| parent | Merge pull request #5299 from matrix-org/rav/server_keys/05-rewrite-gsvk-again (diff) | |
| parent | add some tests (diff) | |
| download | synapse-d828d1dc57eb8f9d23eee918af3f23180b9039cf.tar.xz | |
Merge pull request #5309 from matrix-org/rav/limit_displayname_length
Limit displaynames and avatar URLs
Diffstat (limited to 'synapse/handlers/profile.py')
| -rw-r--r-- | synapse/handlers/profile.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/synapse/handlers/profile.py b/synapse/handlers/profile.py index 91fc718ff8..a5fc6c5dbf 100644 --- a/synapse/handlers/profile.py +++ b/synapse/handlers/profile.py @@ -31,6 +31,9 @@ from ._base import BaseHandler logger = logging.getLogger(__name__) +MAX_DISPLAYNAME_LEN = 100 +MAX_AVATAR_URL_LEN = 1000 + class BaseProfileHandler(BaseHandler): """Handles fetching and updating user profile information. @@ -162,6 +165,11 @@ class BaseProfileHandler(BaseHandler): if not by_admin and target_user != requester.user: raise AuthError(400, "Cannot set another user's displayname") + if len(new_displayname) > MAX_DISPLAYNAME_LEN: + raise SynapseError( + 400, "Displayname is too long (max %i)" % (MAX_DISPLAYNAME_LEN, ), + ) + if new_displayname == '': new_displayname = None @@ -217,6 +225,11 @@ class BaseProfileHandler(BaseHandler): if not by_admin and target_user != requester.user: raise AuthError(400, "Cannot set another user's avatar_url") + if len(new_avatar_url) > MAX_AVATAR_URL_LEN: + raise SynapseError( + 400, "Avatar URL is too long (max %i)" % (MAX_AVATAR_URL_LEN, ), + ) + yield self.store.set_profile_avatar_url( target_user.localpart, new_avatar_url ) |