mirror of
https://mau.dev/maunium/synapse.git
synced 2025-01-06 01:43:56 +01:00
parent
0922462fc7
commit
8e2759f2d8
3 changed files with 36 additions and 1 deletions
1
changelog.d/12454.misc
Normal file
1
changelog.d/12454.misc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Limit length of device_id to less than 512 characters.
|
|
@ -342,6 +342,15 @@ class LoginRestServlet(RestServlet):
|
||||||
user_id = canonical_uid
|
user_id = canonical_uid
|
||||||
|
|
||||||
device_id = login_submission.get("device_id")
|
device_id = login_submission.get("device_id")
|
||||||
|
|
||||||
|
# If device_id is present, check that device_id is not longer than a reasonable 512 characters
|
||||||
|
if device_id and len(device_id) > 512:
|
||||||
|
raise LoginError(
|
||||||
|
400,
|
||||||
|
"device_id cannot be longer than 512 characters.",
|
||||||
|
errcode=Codes.INVALID_PARAM,
|
||||||
|
)
|
||||||
|
|
||||||
initial_display_name = login_submission.get("initial_device_display_name")
|
initial_display_name = login_submission.get("initial_device_display_name")
|
||||||
(
|
(
|
||||||
device_id,
|
device_id,
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
import json
|
||||||
import time
|
import time
|
||||||
import urllib.parse
|
import urllib.parse
|
||||||
from typing import Any, Dict, List, Optional, Union
|
from typing import Any, Dict, List, Optional, Union
|
||||||
|
@ -384,6 +384,31 @@ class LoginRestServletTestCase(unittest.HomeserverTestCase):
|
||||||
channel = self.make_request(b"POST", "/logout/all", access_token=access_token)
|
channel = self.make_request(b"POST", "/logout/all", access_token=access_token)
|
||||||
self.assertEqual(channel.result["code"], b"200", channel.result)
|
self.assertEqual(channel.result["code"], b"200", channel.result)
|
||||||
|
|
||||||
|
def test_login_with_overly_long_device_id_fails(self) -> None:
|
||||||
|
self.register_user("mickey", "cheese")
|
||||||
|
|
||||||
|
# create a device_id longer than 512 characters
|
||||||
|
device_id = "yolo" * 512
|
||||||
|
|
||||||
|
body = {
|
||||||
|
"type": "m.login.password",
|
||||||
|
"user": "mickey",
|
||||||
|
"password": "cheese",
|
||||||
|
"device_id": device_id,
|
||||||
|
}
|
||||||
|
|
||||||
|
# make a login request with the bad device_id
|
||||||
|
channel = self.make_request(
|
||||||
|
"POST",
|
||||||
|
"/_matrix/client/v3/login",
|
||||||
|
json.dumps(body).encode("utf8"),
|
||||||
|
custom_headers=None,
|
||||||
|
)
|
||||||
|
|
||||||
|
# test that the login fails with the correct error code
|
||||||
|
self.assertEqual(channel.code, 400)
|
||||||
|
self.assertEqual(channel.json_body["errcode"], "M_INVALID_PARAM")
|
||||||
|
|
||||||
|
|
||||||
@skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")
|
@skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")
|
||||||
class MultiSSOTestCase(unittest.HomeserverTestCase):
|
class MultiSSOTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
Loading…
Reference in a new issue