From 4ec4a99869b1d5f9f6fbcc4643440b719d7c04a3 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 13 Apr 2021 15:24:20 +0000 Subject: [PATCH] Limit size of properties to 2048 characters It is unreasonable to expect that one of these fields would be longer than 2048 characters. Whilst some have definitely lower limits (such as for phone numbers or domain names), a upper bound as sanity check makes sense. Backport of https://github.com/nextcloud/server/pull/26433 Signed-off-by: Lukas Reschke --- lib/private/Accounts/AccountManager.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/private/Accounts/AccountManager.php b/lib/private/Accounts/AccountManager.php index 1f23e7e33a3..24adeaeb3ac 100644 --- a/lib/private/Accounts/AccountManager.php +++ b/lib/private/Accounts/AccountManager.php @@ -93,6 +93,14 @@ class AccountManager implements IAccountManager { public function updateUser(IUser $user, $data) { $userData = $this->getUser($user); $updated = true; + + // set a max length + foreach ($data as $propertyName => $propertyData) { + if (isset($data[$propertyName]) && isset($data[$propertyName]['value']) && strlen($data[$propertyName]['value']) > 2048) { + $data[$propertyName]['value'] = ''; + } + } + if (empty($userData)) { $this->insertNewUser($user, $data); } elseif ($userData !== $data) { -- 2.39.5