2 files changed, 12 insertions, 3 deletions

diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index 72dfb876c5..0c737d73b8 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -57,10 +57,19 @@ class RegisterRestServlet(RestServlet):
         yield run_on_reactor()
 
         body = parse_request_allow_empty(request)
-        if 'password' not in body:
-            raise SynapseError(400, "", Codes.MISSING_PARAM)
+        # we do basic sanity checks here because the auth
+        # layer will store these in sessions
+        if 'password' in body:
+            if ((not isinstance(body['password'], str) and
+                    not isinstance(body['password'], unicode)) or
+                    len(body['password']) > 512):
+                raise SynapseError(400, "Invalid password")
 
         if 'username' in body:
+            if ((not isinstance(body['username'], str) and
+                    not isinstance(body['username'], unicode)) or
+                    len(body['username']) > 512):
+                raise SynapseError(400, "Invalid username")
             desired_username = body['username']
             yield self.registration_handler.check_username(desired_username)
 
diff --git a/synapse/rest/media/v1/thumbnailer.py b/synapse/rest/media/v1/thumbnailer.py
index 28404f2b7b..1e965c363a 100644
--- a/synapse/rest/media/v1/thumbnailer.py
+++ b/synapse/rest/media/v1/thumbnailer.py
@@ -82,7 +82,7 @@ class Thumbnailer(object):
 
     def save_image(self, output_image, output_type, output_path):
         output_bytes_io = BytesIO()
-        output_image.save(output_bytes_io, self.FORMATS[output_type], quality=70)
+        output_image.save(output_bytes_io, self.FORMATS[output_type], quality=80)
         output_bytes = output_bytes_io.getvalue()
         with open(output_path, "wb") as output_file:
             output_file.write(output_bytes)