Skip to content

Commit

Permalink
feat: Limit email input on auth pages to 255 chars
Browse files Browse the repository at this point in the history
Excessively long emails reported make server unresponsive.

We could at some point, consider adding a configuration for sysadmins to bypass this setting
on their instance if they want.

Signed-off-by: fenn-cs <[email protected]>
  • Loading branch information
nfebe committed Mar 16, 2024
1 parent eb61f6b commit b6a0c6a
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 2 deletions.
8 changes: 7 additions & 1 deletion core/Controller/LoginController.php
Original file line number Diff line number Diff line change
Expand Up @@ -336,9 +336,15 @@ public function tryLogin(Chain $loginChain,
);
}

$user = trim($user);

if (strlen($user) > 255) {
return new JSONResponse($this->error($this->l10n->t('Unsupported email length (>255)')));

Check failure

Code scanning / Psalm

UndefinedClass Error

Class, interface or enum named OC\Core\Controller\JSONResponse does not exist

Check failure

Code scanning / Psalm

UndefinedMethod Error

Method OC\Core\Controller\LoginController::error does not exist

Check failure on line 342 in core/Controller/LoginController.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedClass

core/Controller/LoginController.php:342:15: UndefinedClass: Class, interface or enum named OC\Core\Controller\JSONResponse does not exist (see https://psalm.dev/019)

Check failure on line 342 in core/Controller/LoginController.php

View workflow job for this annotation

GitHub Actions / static-code-analysis

UndefinedMethod

core/Controller/LoginController.php:342:35: UndefinedMethod: Method OC\Core\Controller\LoginController::error does not exist (see https://psalm.dev/022)
}

$data = new LoginData(
$this->request,
trim($user),
$user,
$password,
$redirect_url,
$timezone,
Expand Down
4 changes: 4 additions & 0 deletions core/Controller/LostController.php
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,10 @@ public function email(string $user): JSONResponse {

$user = trim($user);

if (strlen($user) > 255) {
return new JSONResponse($this->error($this->l10n->t('Unsupported email length (>255)')));
}

\OCP\Util::emitHook(
'\OCA\Files_Sharing\API\Server2Server',
'preLoginNameUsedAsUserName',
Expand Down
8 changes: 7 additions & 1 deletion core/src/components/login/LoginForm.vue
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,15 @@
ref="user"
:label="loginText"
name="user"
:maxlength="255"
:value.sync="user"
:class="{shake: invalidPassword}"
autocapitalize="none"
:spellchecking="false"
:autocomplete="autoCompleteAllowed ? 'username' : 'off'"
required
:error="userNameInputLengthIs255"
:helper-text="userInputHelperText"
data-login-form-input-user
@change="updateUsername" />

Expand Down Expand Up @@ -117,6 +120,8 @@ import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'

import LoginButton from './LoginButton.vue'

import AuthMixin from '../../mixins/auth.js'

export default {
name: 'LoginForm',

Expand All @@ -126,6 +131,7 @@ export default {
NcTextField,
NcNoteCard,
},
mixins: [AuthMixin],

props: {
username: {
Expand Down Expand Up @@ -160,7 +166,7 @@ export default {
type: Array,
default() {
return []
}
},
},
},

Expand Down
6 changes: 6 additions & 0 deletions core/src/components/login/ResetPassword.vue
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,11 @@
<NcTextField id="user"
:value.sync="user"
name="user"
:maxlength="255"
autocapitalize="off"
:label="t('core', 'Login or email')"
:error="userNameInputLengthIs255"
:helper-text="userInputHelperText"
required
@change="updateUsername" />
<LoginButton :value="t('core', 'Reset password')" />
Expand Down Expand Up @@ -60,13 +63,16 @@ import LoginButton from './LoginButton.vue'
import NcTextField from '@nextcloud/vue/dist/Components/NcTextField.js'
import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'

import AuthMixin from '../../mixins/auth.js'

export default {
name: 'ResetPassword',
components: {
LoginButton,
NcNoteCard,
NcTextField,
},
mixins: [AuthMixin],
props: {
username: {
type: String,
Expand Down
36 changes: 36 additions & 0 deletions core/src/mixins/auth.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/**
* @copyright Copyright (c) 2024 Fon E. Noel NFEBE <[email protected]>
*
* @author Fon E. Noel NFEBE <[email protected]>
*
* @license AGPL-3.0-or-later
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

export default {

computed: {
userNameInputLengthIs255() {
return this.user.length >= 255
},
userInputHelperText() {
if (this.userNameInputLengthIs255) {
return t('core', 'Email length is at max (255)')
}
return undefined
},
},
}

0 comments on commit b6a0c6a

Please sign in to comment.