Skip to content

Commit

Permalink
Define field limit for SSH Key title
Browse files Browse the repository at this point in the history
  • Loading branch information
ikus060 committed Sep 25, 2022
1 parent 667657c commit 626cca1
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 2 deletions.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,14 +107,15 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/

# Changelog

## 2.4.8 (2022-09-24)
## 2.4.8 (2022-09-26)

This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.

* Clean-up invalid path on error page
* Limit username field length [CVE-2022-3290](https://nvd.nist.gov/vuln/detail/CVE-2022-3290)
* Limit user's email field length [CVE-2022-3272](https://nvd.nist.gov/vuln/detail/CVE-2022-3272)
* Limit user's root directory field length [CVE-2022-3295](https://nvd.nist.gov/vuln/detail/CVE-2022-3295)
* Limit SSH Key title field length [CVE-2022-3298](https://nvd.nist.gov/vuln/detail/CVE-2022-3298)

## 2.4.7 (2002-09-21)

Expand Down
8 changes: 7 additions & 1 deletion rdiffweb/controller/pref_sshkeys.py
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,13 @@ class SshForm(CherryForm):
title = StringField(
_('Title'),
description=_('The title is an optional description to identify the key. e.g.: bob@thinkpad-t530'),
validators=[validators.data_required()],
validators=[
validators.data_required(),
validators.length(
max=256,
message=_('Title too long.'),
),
],
)
key = StringField(
_('Key'),
Expand Down
17 changes: 17 additions & 0 deletions rdiffweb/controller/tests/test_page_prefs_ssh.py
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,23 @@ def test_add_get_method(self):
# Then ssh key is not added
self.assertEqual(0, len(list(user.authorizedkeys)))

def test_add_with_title_too_long(self):
# Given an authenticated user without any ssh keys
user = self.app.store.get_user('admin')
for key in user.authorizedkeys:
user.delete_authorizedkey(key.fingerprint)
self.assertEqual(0, len(list(user.authorizedkeys)))
# When adding a key with title too long.
self._add_ssh_key(
"title" * 52,
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSEN5VTn9MLituZvdYTZMbZEaMxe0UuU7BelxHkvxzSpVWtazrIBEc3KZjtVoK9F3+0kd26P4DzSQuPUl3yZDgyZZeXrF6p2GlEA7A3tPuOEsAQ9c0oTiDYktq5/Go8vD+XAZKLd//qmCWW1Jg4datkWchMKJzbHUgBrBH015FDbGvGDWYTfVyb8I9H+LQ0GmbTHsuTu63DhPODncMtWPuS9be/flb4EEojMIx5Vce0SNO9Eih38W7jTvNWxZb75k5yfPJxBULRnS5v/fPnDVVtD3JSGybSwKoMdsMX5iImAeNhqnvd8gBu1f0IycUQexTbJXk1rPiRcF13SjKrfXz ikus060@ikus060-t530",
)
# Then page return with error
self.assertStatus('200 OK')
self.assertInBody('Title too long.')
# Then key is not added
self.assertEqual(0, len(list(user.authorizedkeys)))

def test_delete(self):
# Delete existing keys
user = self.app.store.get_user('admin')
Expand Down

0 comments on commit 626cca1

Please sign in to comment.