forked from MirrorHub/synapse
Limit displaynames and avatar URLs
These end up in join events everywhere, so let's limit them. Fixes #5079
This commit is contained in:
parent
e26e6b3230
commit
d16c6375fe
3 changed files with 16 additions and 0 deletions
1
changelog.d/5309.bugfix
Normal file
1
changelog.d/5309.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Prevent users from setting huge displaynames and avatar URLs.
|
|
@ -31,6 +31,9 @@ from ._base import BaseHandler
|
|||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
MAX_DISPLAYNAME_LEN = 100
|
||||
MAX_AVATAR_URL_LEN = 1000
|
||||
|
||||
|
||||
class BaseProfileHandler(BaseHandler):
|
||||
"""Handles fetching and updating user profile information.
|
||||
|
@ -162,6 +165,11 @@ class BaseProfileHandler(BaseHandler):
|
|||
if not by_admin and target_user != requester.user:
|
||||
raise AuthError(400, "Cannot set another user's displayname")
|
||||
|
||||
if len(new_displayname) > MAX_DISPLAYNAME_LEN:
|
||||
raise SynapseError(
|
||||
400, "Displayname is too long (max %i)" % (MAX_DISPLAYNAME_LEN, ),
|
||||
)
|
||||
|
||||
if new_displayname == '':
|
||||
new_displayname = None
|
||||
|
||||
|
@ -217,6 +225,11 @@ class BaseProfileHandler(BaseHandler):
|
|||
if not by_admin and target_user != requester.user:
|
||||
raise AuthError(400, "Cannot set another user's avatar_url")
|
||||
|
||||
if len(new_avatar_url) > MAX_AVATAR_URL_LEN:
|
||||
raise SynapseError(
|
||||
400, "Avatar URL is too long (max %i)" % (MAX_AVATAR_URL_LEN, ),
|
||||
)
|
||||
|
||||
yield self.store.set_profile_avatar_url(
|
||||
target_user.localpart, new_avatar_url
|
||||
)
|
||||
|
|
|
@ -531,6 +531,8 @@ class RegistrationHandler(BaseHandler):
|
|||
A tuple of (user_id, access_token).
|
||||
Raises:
|
||||
RegistrationError if there was a problem registering.
|
||||
|
||||
NB this is only used in tests. TODO: move it to the test package!
|
||||
"""
|
||||
if localpart is None:
|
||||
raise SynapseError(400, "Request must include user id")
|
||||
|
|
Loading…
Reference in a new issue