mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-10-01 11:49:51 -04:00
parent
0922462fc7
commit
8e2759f2d8
1
changelog.d/12454.misc
Normal file
1
changelog.d/12454.misc
Normal file
@ -0,0 +1 @@
|
||||
Limit length of device_id to less than 512 characters.
|
@ -342,6 +342,15 @@ class LoginRestServlet(RestServlet):
|
||||
user_id = canonical_uid
|
||||
|
||||
device_id = login_submission.get("device_id")
|
||||
|
||||
# If device_id is present, check that device_id is not longer than a reasonable 512 characters
|
||||
if device_id and len(device_id) > 512:
|
||||
raise LoginError(
|
||||
400,
|
||||
"device_id cannot be longer than 512 characters.",
|
||||
errcode=Codes.INVALID_PARAM,
|
||||
)
|
||||
|
||||
initial_display_name = login_submission.get("initial_device_display_name")
|
||||
(
|
||||
device_id,
|
||||
|
@ -11,7 +11,7 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import json
|
||||
import time
|
||||
import urllib.parse
|
||||
from typing import Any, Dict, List, Optional, Union
|
||||
@ -384,6 +384,31 @@ class LoginRestServletTestCase(unittest.HomeserverTestCase):
|
||||
channel = self.make_request(b"POST", "/logout/all", access_token=access_token)
|
||||
self.assertEqual(channel.result["code"], b"200", channel.result)
|
||||
|
||||
def test_login_with_overly_long_device_id_fails(self) -> None:
|
||||
self.register_user("mickey", "cheese")
|
||||
|
||||
# create a device_id longer than 512 characters
|
||||
device_id = "yolo" * 512
|
||||
|
||||
body = {
|
||||
"type": "m.login.password",
|
||||
"user": "mickey",
|
||||
"password": "cheese",
|
||||
"device_id": device_id,
|
||||
}
|
||||
|
||||
# make a login request with the bad device_id
|
||||
channel = self.make_request(
|
||||
"POST",
|
||||
"/_matrix/client/v3/login",
|
||||
json.dumps(body).encode("utf8"),
|
||||
custom_headers=None,
|
||||
)
|
||||
|
||||
# test that the login fails with the correct error code
|
||||
self.assertEqual(channel.code, 400)
|
||||
self.assertEqual(channel.json_body["errcode"], "M_INVALID_PARAM")
|
||||
|
||||
|
||||
@skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")
|
||||
class MultiSSOTestCase(unittest.HomeserverTestCase):
|
||||
|
Loading…
Reference in New Issue
Block a user