Bug 1202447: [SECURITY] The email address is not properly validated during registrati...

author Byron Jones ‹:glob› <glob@mozilla.com>

Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)

committer David Lawrence <dkl@mozilla.com>

Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)
author Byron Jones ‹:glob› <glob@mozilla.com>
Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)
committer David Lawrence <dkl@mozilla.com>
Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm

index 4bd10e16c5ff0860ffe03055fcee9dbdf114c450..527bae85a88289d37e4d58906039d8fe9afa0d17 100644 (file)
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -681,12 +681,18 @@ sub validate_email_syntax {
      # RFC 2822 section 2.1 specifies that email addresses must
      # be made of US-ASCII characters only.
      # Email::Address::addr_spec doesn't enforce this.
-    my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/);
-    if ($ret) {
+    # We set the max length to 127 to ensure addresses aren't truncated when
+    # inserted into the tokens.eventdata field.
+    if ($addr =~ /$match/
+        && $email !~ /\P{ASCII}/
+        && $email =~ /^$addr_spec$/
+        && length($email) <= 127)
+    {
          # We assume these checks to suffice to consider the address untainted.
          trick_taint($_[0]);
+        return 1;
      }
-    return $ret ? 1 : 0;
+    return 0;
  }
  
  sub check_email_syntax {
author	Byron Jones ‹:glob› <glob@mozilla.com>
	Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)
committer	David Lawrence <dkl@mozilla.com>
	Thu, 10 Sep 2015 17:27:44 +0000 (13:27 -0400)