From 78c327e3f31f3a0a5cd9f9d2128b1e7ef948c3cc Mon Sep 17 00:00:00 2001 From: Stephan Date: Wed, 7 Dec 2016 17:02:14 +0100 Subject: [PATCH] Prevent rogue registrations from crashing db --- .../Our/Controllers/RegisterController.cs | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/OurUmbraco/Our/Controllers/RegisterController.cs b/OurUmbraco/Our/Controllers/RegisterController.cs index f6e73c74..d0bd5189 100644 --- a/OurUmbraco/Our/Controllers/RegisterController.cs +++ b/OurUmbraco/Our/Controllers/RegisterController.cs @@ -41,7 +41,7 @@ namespace OurUmbraco.Our.Controllers } var memberService = Services.MemberService; - + if (memberService.GetByEmail(model.Email) != null) { ModelState.AddModelError("Email", "A member with that email address already exists"); @@ -60,6 +60,28 @@ namespace OurUmbraco.Our.Controllers return Redirect("/"); } + // these values are enforced in MemberDto which is internal ;-( + // we should really have ways to query for Core meta-data! + const int maxEmailLength = 900; // 1000*.9 for safety + const int maxLoginNameLength = 900; // 1000*.9 for safety + const int maxPasswordLength = 900; // 1000*.9 for safety + const int maxPropertyLength = 900; // keep it safe too + + if (model.Email.Length > maxEmailLength + || model.Name.Length > maxLoginNameLength + || model.Password.Length > maxPasswordLength + || model.Location.Length > maxPropertyLength + || model.Longitude.Length > maxPropertyLength + || model.Latitude.Length > maxPropertyLength + || model.Company.Length > maxPropertyLength + || model.TwitterAlias.Length > maxPropertyLength + ) + { + // has to be a rogue registration + // go away! + return Redirect("/"); + } + var member = memberService.CreateMember(model.Email, model.Email, model.Name, "member"); member.SetValue("location", model.Location); member.SetValue("longitude", model.Longitude); @@ -86,7 +108,7 @@ namespace OurUmbraco.Our.Controllers memberService.AssignRole(member.Username, "standard"); - memberService.SavePassword(member, model.Password); + memberService.SavePassword(member, model.Password); Members.Login(model.Email, model.Password);