Check that there are no null bytes in user and passsword

This commit is contained in:
Erik Johnston 2016-07-06 11:16:10 +01:00
parent 0da24cac8b
commit 76b18df3d9
1 changed files with 6 additions and 0 deletions

View File

@ -327,6 +327,12 @@ class RegisterRestServlet(ClientV1RestServlet):
password = register_json["password"].encode("utf-8") password = register_json["password"].encode("utf-8")
admin = register_json.get("admin", None) admin = register_json.get("admin", None)
# Its important to check as we use null bytes as HMAC field separators
if "\x00" in user:
raise SynapseError(400, "Invalid user")
if "\x00" in password:
raise SynapseError(400, "Invalid password")
# str() because otherwise hmac complains that 'unicode' does not # str() because otherwise hmac complains that 'unicode' does not
# have the buffer interface # have the buffer interface
got_mac = str(register_json["mac"]) got_mac = str(register_json["mac"])