Mirrors
/
synapse
mirror of https://github.com/element-hq/synapse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Check that there are no null bytes in user and passsword

This commit is contained in:
Erik Johnston 2016-07-06 11:16:10 +01:00
parent 0da24cac8b
commit 76b18df3d9
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
synapse/rest/client/v1/register.py
View File

@ -327,6 +327,12 @@ class RegisterRestServlet(ClientV1RestServlet):
password = register_json["password"].encode("utf-8")
admin = register_json.get("admin", None)
# Its important to check as we use null bytes as HMAC field separators
if "\x00" in user:
raise SynapseError(400, "Invalid user")
if "\x00" in password:
raise SynapseError(400, "Invalid password")
# str() because otherwise hmac complains that 'unicode' does not
# have the buffer interface
got_mac = str(register_json["mac"])