Headline
CVE-2022-3272: Define field limit for username, email and root directory #223 · ikus060/rdiffweb@667657c
Improper Handling of Length Parameter Inconsistency in GitHub repository ikus060/rdiffweb prior to 2.4.8.
@@ -239,6 +239,33 @@ def test_add_without_user_root(self):
user = self.app.store.get_user(‘test6’)
self.assertEqual('’, user.user_root)
def test_add_with_username_too_long(self):
# Given a too long username
username = “test2” * 52
# When trying to create the user
self._add_user(username, None, "password", "/tmp/", USER_ROLE)
# Then an error is raised
self.assertStatus(200)
self.assertInBody(“Username too long.”)
def test_add_with_email_too_long(self):
# Given a too long username
email = (“test2” * 50) + “@test.com”
# When trying to create the user
self._add_user("test2", email, "password", "/tmp/", USER_ROLE)
# Then an error is raised
self.assertStatus(200)
self.assertInBody(“Email too long.”)
def test_add_with_user_root_too_long(self):
# Given a too long user root
user_root = “/temp/” * 50
# When trying to create the user
self._add_user("test2", "test@test,com", "password", user_root, USER_ROLE)
# Then an error is raised
self.assertStatus(200)
self.assertInBody(“Root directory too long.”)
def test_delete_user_with_not_existing_username(self):
“"”
Verify failure to delete invalid username.
Related news
rdiffweb prior to 2.4.8 does not validate email length, allowing users to insert an email longer than 255 characters. If a user signs up with an email with a length of 1 million or more characters and logs in, withdraws, or changes their email, the server may cause denial of service due to overload. Version 2.4.8 sets length limits for username, email, and root directory.