Bug 1202447: [SECURITY] The email address is not properly validated during…

Bug 1202447: [SECURITY] The email address is not properly validated during registration if longer than 127 characters r=LpSolit,a=justdave

Bug 1202447: [SECURITY] The email address is not properly validated during…
69386c52 · Byron Jones ‹:glob› · David Lawrence · eff343a6 · 69386c52
Commit 69386c52 authored Sep 10, 2015 by Byron Jones ‹:glob› Committed by David Lawrence Sep 10, 2015
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

Util.pm Bugzilla/Util.pm +9 -3

No files found.
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -676,12 +676,18 @@ sub validate_email_syntax {
    # RFC 2822 section 2.1 specifies that email addresses must
    # be made of US-ASCII characters only.
    # Email::Address::addr_spec doesn't enforce this.
-    my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/);
-    if ($ret) {
+    # We set the max length to 127 to ensure addresses aren't truncated when
+    # inserted into the tokens.eventdata field.
+    if ($addr =~ /$match/
+        && $email !~ /\P{ASCII}/
+        && $email =~ /^$addr_spec$/
+        && length($email) <= 127)
+    {
        # We assume these checks to suffice to consider the address untainted.
        trick_taint($_[0]);
+        return 1;
    }
-    return $ret ? 1 : 0;
+    return 0;
 }

 sub check_email_syntax {