Here's the patch from the security team to prevent DoS on filter_url().
From linclark (Discovered by):
"Today QA created a piece of content on our D7 site in order to test text-wrapping for extremely long words. In the body, he created a since word easily in the thousands of characters (I didn't count). After saving that, the admin/content page would no longer load as it would hit the PHP max execution time limit. I changed it to 60 seconds and it was still hitting that limit.
A developer then traced the bug to _filter_url:
After a little more investigation, the _filter_url() function is where all of the time is being used... Granted, it is invalid content but still a DoS vulnerability."
Please give commit credit to chx, jwineinger, and linclark. See http://stackoverflow.com/questions/386294/maximum-length-of-a-valid-emai... for some background. Private tracker #69603
Comment | File | Size | Author |
---|---|---|---|
#10 | drupal-1558468-10-revert.patch | 1.74 KB | tim.plunkett |
#10 | drupal-1558468-10.patch | 1.23 KB | tim.plunkett |
#6 | long-email-with-tests-1558468-6-test-only.patch | 1.25 KB | Berdir |
#6 | long-email-with-tests-1558468-6.patch | 1.77 KB | Berdir |
#3 | long-email-with-tests-1558468-3-test-only.patch | 1.09 KB | Berdir |
Comments
Comment #1
BerdirPorted and working on adding a test. Completely untested, let's see how this goes.
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedHello,
If you want to insert long url then you can shorten them by using bitly (https://bitly.com/), It may solve the problem of long url.
Comment #3
Berdirboth passed? Well, that's not what should have happened... Looks like it's because I forgot to add the mailto:.
@viswanath_polaki: This is not making long mails work, this is to prevent a security issue when there is one.
Comment #5
MustangGB CreditAttribution: MustangGB commentedShouldn't the entire length of the email address be less than or equal to 254, rather than just the part before the @ sign?
Comment #6
Berdir@akamustang, Yeah, looks like it, after reading the referenced documentation. It looks like the whole thing can be up to 254 characters and the local part only 64. Interestingly, $domain is actually limited to 64.
Anyway, here are tests for the current behavior of the code.
Comment #7
BerdirComment #8
sunThanks, looks good to me.
Please note the additional commit credits in the OP.
Comment #9
catchCommitted/pushed to 8.x, we should backport the tests to 7.x, tagging novice for the backport.
Comment #10
tim.plunkettThe first patch reverts the fix in D7 to show the tests fail, the second is the tests and the one to commit.
Comment #11
jthorson CreditAttribution: jthorson commentedYup, that's the same test. If it was good enough for D8 (despite the double blank lines), then I'll play along and say it's good enough for D7 too.
Though I wonder if the 500+ character array key might have been overkill ... "person@example.com or mailto:person2@example.com or (254-character-username)@example.com but not (255-character-username)@example.com" may have been enough. ;)
Comment #12
David_Rothstein CreditAttribution: David_Rothstein commentedCommitted to 7.x - thanks! http://drupalcode.org/project/drupal.git/commit/d98d586
Comment #13.0
(not verified) CreditAttribution: commentedx