From 626cca1b75b6c587afd4241a9692e8929b1921a5 Mon Sep 17 00:00:00 2001
From: Patrik Dufresne <info@patrikdufresne.com>
Date: Sun, 25 Sep 2022 16:59:58 -0400
Subject: [PATCH] Define field limit for SSH Key title

---
 README.md                                       |  3 ++-
 rdiffweb/controller/pref_sshkeys.py             |  8 +++++++-
 .../controller/tests/test_page_prefs_ssh.py     | 17 +++++++++++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cec106a5..b87086f4 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
-## 2.4.8 (2022-09-24)
+## 2.4.8 (2022-09-26)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
 
@@ -115,6 +115,7 @@ This releases include a security fix. If you are using an earlier version, you s
 * Limit username field length [CVE-2022-3290](https://nvd.nist.gov/vuln/detail/CVE-2022-3290)
 * Limit user's email field length [CVE-2022-3272](https://nvd.nist.gov/vuln/detail/CVE-2022-3272)
 * Limit user's root directory field length [CVE-2022-3295](https://nvd.nist.gov/vuln/detail/CVE-2022-3295)
+* Limit SSH Key title field length [CVE-2022-3298](https://nvd.nist.gov/vuln/detail/CVE-2022-3298)
 
 ## 2.4.7 (2002-09-21)
 
diff --git a/rdiffweb/controller/pref_sshkeys.py b/rdiffweb/controller/pref_sshkeys.py
index 4fc35557..67fe52f8 100644
--- a/rdiffweb/controller/pref_sshkeys.py
+++ b/rdiffweb/controller/pref_sshkeys.py
@@ -50,7 +50,13 @@ class SshForm(CherryForm):
     title = StringField(
         _('Title'),
         description=_('The title is an optional description to identify the key. e.g.: bob@thinkpad-t530'),
-        validators=[validators.data_required()],
+        validators=[
+            validators.data_required(),
+            validators.length(
+                max=256,
+                message=_('Title too long.'),
+            ),
+        ],
     )
     key = StringField(
         _('Key'),
diff --git a/rdiffweb/controller/tests/test_page_prefs_ssh.py b/rdiffweb/controller/tests/test_page_prefs_ssh.py
index 3ef499ac..a8d0d0fc 100644
--- a/rdiffweb/controller/tests/test_page_prefs_ssh.py
+++ b/rdiffweb/controller/tests/test_page_prefs_ssh.py
@@ -111,6 +111,23 @@ def test_add_get_method(self):
         # Then ssh key is not added
         self.assertEqual(0, len(list(user.authorizedkeys)))
 
+    def test_add_with_title_too_long(self):
+        # Given an authenticated user without any ssh keys
+        user = self.app.store.get_user('admin')
+        for key in user.authorizedkeys:
+            user.delete_authorizedkey(key.fingerprint)
+        self.assertEqual(0, len(list(user.authorizedkeys)))
+        # When adding a key with title too long.
+        self._add_ssh_key(
+            "title" * 52,
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSEN5VTn9MLituZvdYTZMbZEaMxe0UuU7BelxHkvxzSpVWtazrIBEc3KZjtVoK9F3+0kd26P4DzSQuPUl3yZDgyZZeXrF6p2GlEA7A3tPuOEsAQ9c0oTiDYktq5/Go8vD+XAZKLd//qmCWW1Jg4datkWchMKJzbHUgBrBH015FDbGvGDWYTfVyb8I9H+LQ0GmbTHsuTu63DhPODncMtWPuS9be/flb4EEojMIx5Vce0SNO9Eih38W7jTvNWxZb75k5yfPJxBULRnS5v/fPnDVVtD3JSGybSwKoMdsMX5iImAeNhqnvd8gBu1f0IycUQexTbJXk1rPiRcF13SjKrfXz ikus060@ikus060-t530",
+        )
+        # Then page return with error
+        self.assertStatus('200 OK')
+        self.assertInBody('Title too long.')
+        # Then key is not added
+        self.assertEqual(0, len(list(user.authorizedkeys)))
+
     def test_delete(self):
         # Delete existing keys
         user = self.app.store.get_user('admin')