Define field limit for SSH Key title

ikus060 · Sep 25, 2022 · 626cca1 · 626cca1
1 parent 667657c
commit 626cca1
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -107,14 +107,15 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
-## 2.4.8 (2022-09-24)
+## 2.4.8 (2022-09-26)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
 
 * Clean-up invalid path on error page
 * Limit username field length [CVE-2022-3290](https://nvd.nist.gov/vuln/detail/CVE-2022-3290)
 * Limit user's email field length [CVE-2022-3272](https://nvd.nist.gov/vuln/detail/CVE-2022-3272)
 * Limit user's root directory field length [CVE-2022-3295](https://nvd.nist.gov/vuln/detail/CVE-2022-3295)
+* Limit SSH Key title field length [CVE-2022-3298](https://nvd.nist.gov/vuln/detail/CVE-2022-3298)
 
 ## 2.4.7 (2002-09-21)
 

diff --git a/rdiffweb/controller/pref_sshkeys.py b/rdiffweb/controller/pref_sshkeys.py
@@ -50,7 +50,13 @@ class SshForm(CherryForm):
     title = StringField(
         _('Title'),
         description=_('The title is an optional description to identify the key. e.g.: bob@thinkpad-t530'),
-        validators=[validators.data_required()],
+        validators=[
+            validators.data_required(),
+            validators.length(
+                max=256,
+                message=_('Title too long.'),
+            ),
+        ],
     )
     key = StringField(
         _('Key'),

diff --git a/rdiffweb/controller/tests/test_page_prefs_ssh.py b/rdiffweb/controller/tests/test_page_prefs_ssh.py
@@ -111,6 +111,23 @@ def test_add_get_method(self):
         # Then ssh key is not added
         self.assertEqual(0, len(list(user.authorizedkeys)))
 
+    def test_add_with_title_too_long(self):
+        # Given an authenticated user without any ssh keys
+        user = self.app.store.get_user('admin')
+        for key in user.authorizedkeys:
+            user.delete_authorizedkey(key.fingerprint)
+        self.assertEqual(0, len(list(user.authorizedkeys)))
+        # When adding a key with title too long.
+        self._add_ssh_key(
+            "title" * 52,
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSEN5VTn9MLituZvdYTZMbZEaMxe0UuU7BelxHkvxzSpVWtazrIBEc3KZjtVoK9F3+0kd26P4DzSQuPUl3yZDgyZZeXrF6p2GlEA7A3tPuOEsAQ9c0oTiDYktq5/Go8vD+XAZKLd//qmCWW1Jg4datkWchMKJzbHUgBrBH015FDbGvGDWYTfVyb8I9H+LQ0GmbTHsuTu63DhPODncMtWPuS9be/flb4EEojMIx5Vce0SNO9Eih38W7jTvNWxZb75k5yfPJxBULRnS5v/fPnDVVtD3JSGybSwKoMdsMX5iImAeNhqnvd8gBu1f0IycUQexTbJXk1rPiRcF13SjKrfXz ikus060@ikus060-t530",
+        )
+        # Then page return with error
+        self.assertStatus('200 OK')
+        self.assertInBody('Title too long.')
+        # Then key is not added
+        self.assertEqual(0, len(list(user.authorizedkeys)))
+
     def test_delete(self):
         # Delete existing keys
         user = self.app.store.get_user('admin')