diff options
| author | Erik Johnston <erik@matrix.org> | 2016-07-06 11:16:10 +0100 |
|---|---|---|
| committer | Erik Johnston <erik@matrix.org> | 2016-07-06 11:17:53 +0100 |
| commit | 76b18df3d95cd881017a9aa5c8473409928faecd (patch) | |
| tree | 083de3e29e9cf01b2376b52abc315513e28e37af /synapse/rest | |
| parent | Add null separator to hmac (diff) | |
| download | synapse-76b18df3d95cd881017a9aa5c8473409928faecd.tar.xz | |
Check that there are no null bytes in user and passsword
Diffstat (limited to 'synapse/rest')
| -rw-r--r-- | synapse/rest/client/v1/register.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py index 83872f5f60..ce7099b18f 100644 --- a/synapse/rest/client/v1/register.py +++ b/synapse/rest/client/v1/register.py @@ -327,6 +327,12 @@ class RegisterRestServlet(ClientV1RestServlet): password = register_json["password"].encode("utf-8") admin = register_json.get("admin", None) + # Its important to check as we use null bytes as HMAC field separators + if "\x00" in user: + raise SynapseError(400, "Invalid user") + if "\x00" in password: + raise SynapseError(400, "Invalid password") + # str() because otherwise hmac complains that 'unicode' does not # have the buffer interface got_mac = str(register_json["mac"]) |