From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 13 Apr 2021 15:24:20 +0000 (+0000)
Subject: Limit size of properties to 2048 characters
X-Git-Tag: v20.0.10RC1~1^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fpull%2F26542%2Fhead;p=nextcloud-server.git

Limit size of properties to 2048 characters

It is unreasonable to expect that one of these fields would be longer
than 2048 characters. Whilst some have definitely lower limits (such as
for phone numbers or domain names), a upper bound as sanity check makes
sense.

Backport of https://github.com/nextcloud/server/pull/26433

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---

diff --git a/lib/private/Accounts/AccountManager.php b/lib/private/Accounts/AccountManager.php
index 1f23e7e33a3..24adeaeb3ac 100644
--- a/lib/private/Accounts/AccountManager.php
+++ b/lib/private/Accounts/AccountManager.php
@@ -93,6 +93,14 @@ class AccountManager implements IAccountManager {
 	public function updateUser(IUser $user, $data) {
 		$userData = $this->getUser($user);
 		$updated = true;
+
+		// set a max length
+		foreach ($data as $propertyName => $propertyData) {
+			if (isset($data[$propertyName]) && isset($data[$propertyName]['value']) && strlen($data[$propertyName]['value']) > 2048) {
+				$data[$propertyName]['value'] = '';
+			}
+		}
+
 		if (empty($userData)) {
 			$this->insertNewUser($user, $data);
 		} elseif ($userData !== $data) {