arno/isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

limit email length to 254 to avoid hash-DDoS

Browse Source
This commit is contained in:
Martin Zimmermann 2013-11-03 12:35:33 +01:00
parent 0473afe2db
commit c567758d81
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
isso/views/comment.py
View File

@ -60,6 +60,9 @@ def new(app, environ, request, uri):
if "id" in data and not isinstance(data["id"], int): if "id" in data and not isinstance(data["id"], int):
raise BadRequest("parent id must be an integer") raise BadRequest("parent id must be an integer")
if len(data.get("email") or "") > 254:
raise BadRequest("http://tools.ietf.org/html/rfc5321#section-4.5.3")
for field in ("author", "email"): for field in ("author", "email"):
if data.get(field): if data.get(field):
data[field] = cgi.escape(data[field]) data[field] = cgi.escape(data[field])