summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--synapse/handlers/profile.py37
1 files changed, 34 insertions, 3 deletions
diff --git a/synapse/handlers/profile.py b/synapse/handlers/profile.py
index a65c98ff5c..b99d1655aa 100644
--- a/synapse/handlers/profile.py
+++ b/synapse/handlers/profile.py
@@ -31,6 +31,9 @@ from ._base import BaseHandler
 
 logger = logging.getLogger(__name__)
 
+MAX_DISPLAYNAME_LEN = 128
+MAX_AVATARURL_LEN = 128
+
 
 class BaseProfileHandler(BaseHandler):
     """Handles fetching and updating user profile information.
@@ -80,6 +83,10 @@ class BaseProfileHandler(BaseHandler):
                     },
                     ignore_backoff=True,
                 )
+                if len(result.get("displayname", "")) > MAX_DISPLAYNAME_LEN:
+                    raise SynapseError(404, "Displayname is too long", Codes.UNKNONW)
+                if len(result.get("avatar_url", "")) > MAX_AVATARURL_LEN:
+                    raise SynapseError(404, "Avatar_url is too long", Codes.UNKNONW)
                 defer.returnValue(result)
             except CodeMessageException as e:
                 if e.code != 404:
@@ -142,6 +149,9 @@ class BaseProfileHandler(BaseHandler):
                 if e.code != 404:
                     logger.exception("Failed to get displayname")
                 raise
+            
+            if len(result.get("displayname", "")) > MAX_DISPLAYNAME_LEN:
+                raise SynapseError(404, "Displayname is too long", Codes.UNKNONW)
 
             defer.returnValue(result["displayname"])
 
@@ -156,10 +166,13 @@ class BaseProfileHandler(BaseHandler):
             by_admin (bool): Whether this change was made by an administrator.
         """
         if not self.hs.is_mine(target_user):
-            raise SynapseError(400, "User is not hosted on this Home Server")
+            raise SynapseError(403, "User is not hosted on this Home Server")
 
         if not by_admin and target_user != requester.user:
-            raise AuthError(400, "Cannot set another user's displayname")
+            raise AuthError(403, "Cannot set another user's displayname")
+            
+        if len(new_displayname) > MAX_DISPLAYNAME_LEN:
+            raise SynapseError(400, "Displayname is too long", Codes.UNKNONW)
 
         if new_displayname == '':
             new_displayname = None
@@ -185,7 +198,7 @@ class BaseProfileHandler(BaseHandler):
                 )
             except StoreError as e:
                 if e.code == 404:
-                    raise SynapseError(404, "Profile was not found", Codes.NOT_FOUND)
+                    raise SynapseError(400, "Profile was not found", Codes.NOT_FOUND)
                 raise
             defer.returnValue(avatar_url)
         else:
@@ -204,6 +217,9 @@ class BaseProfileHandler(BaseHandler):
                     logger.exception("Failed to get avatar_url")
                 raise
 
+            if len(result.get("avatar_url", "")) > MAX_AVATARURL_LEN:
+                raise SynapseError(400, "Avatar_url is too long", Codes.UNKNONW)
+
             defer.returnValue(result["avatar_url"])
 
     @defer.inlineCallbacks
@@ -216,6 +232,10 @@ class BaseProfileHandler(BaseHandler):
         if not by_admin and target_user != requester.user:
             raise AuthError(400, "Cannot set another user's avatar_url")
 
+            
+        if len(new_avatar_url) > MAX_AVATARURL_LEN:
+            raise SynapseError(400, "Avatar_url is too long", Codes.UNKNONW)
+            
         yield self.store.set_profile_avatar_url(
             target_user.localpart, new_avatar_url
         )
@@ -252,6 +272,12 @@ class BaseProfileHandler(BaseHandler):
                 raise SynapseError(404, "Profile was not found", Codes.NOT_FOUND)
             raise
 
+        if len(response.get("displayname", "")) > MAX_DISPLAYNAME_LEN:
+            raise SynapseError(400, "Displayname is too long", Codes.UNKNONW)
+
+        if len(response.get("avatar_url", "")) > MAX_AVATARURL_LEN:
+            raise SynapseError(400, "Avatar_url is too long", Codes.UNKNONW)
+
         defer.returnValue(response)
 
     @defer.inlineCallbacks
@@ -335,6 +361,11 @@ class MasterProfileHandler(BaseProfileHandler):
                     user_id, displayname, avatar_url
                 )
                 continue
+            
+            if len(profile.get("displayname", "")) > MAX_DISPLAYNAME_LEN:
+                raise SynapseError(400, "Displayname is too long", Codes.UNKNONW)
+            if len(profile.get("avatar_url", "")) > MAX_AVATARURL_LEN:
+                raise SynapseError(400, "Avatar_url is too long", Codes.UNKNONW)
 
             new_name = profile.get("displayname")
             new_avatar = profile.get("avatar_url")