Comments (10)
Ok, I'm ready to fix this.
I can put a limit, that if overcome would return an error (e.g. > than 40 unicode char length, return InvalidInputFormat error) but this perhaps need to be written in the "hint" of the client.
plus, this check would be performed also in email ( > 40), password ( < 6 and > 40) and description ( > 400)
sounds fine as hard coded limits ?
@hellais @fpietrosanti @evilaliv3
from globaleaks.
Sounds fine to me
from globaleaks.
@hellais can you also put a cap/limit on the client-side?
from globaleaks.
Why do we need to have limits to the size of inputs?
I mean these inputs are things that are configurable by the node admin. If the node admin wants to have a receiver description of more than 400 chars I don't see why we should prohibit them from doing so.
If there are some fields that should be of a certain length because they look better, then we should identify them and provide some visual feedback to the user as to how much text the should be inputting in the textarea/input box.
from globaleaks.
Good, anyhow we should have limits for certain fields's size.
Due to the fact that this does only impact the "visualization" of elements, we may just put those limits into GLClient without enforcing it on GLBackend.
That way the fields that should reasonably have a maximum limits will be client side (i mean, like the name of receiver, that's the one for which i just opened the ticket).
from globaleaks.
I'll put those limits checks, and the maximum size would be configurable in the settings (now) and in the configure (when it came to be implemented, shortly) or in the admin web page (if requested). I agree that the limits need to be configurable, but at the moment is missing also the part of code that accept those data (I believe the best way is to implement the validation function in Storm), then need to be done.
from globaleaks.
This has been implemented in the client: https://github.com/globaleaks/GLClient/commit/b375cfba08780d6b90800a69deb45d4c38011e0d
from globaleaks.
For the time being lets just stick to validating the length of the name of the receivers.
from globaleaks.
... this is wrong, if I make a pentest on this app, the second POST I made is composed of two megabyte of data :)
def test_5_create_huge_submission(self):
submission_request = dict(SubmissionTest.aSubmission)
submission_request['receivers'] = [ SubmissionTest.receiver_used['receiver_gus'] ]
submission_request['context_gus'] = SubmissionTest.context_used['context_gus']
submission_request['wb_fields']['headline'] = unicode("A" * 1000 * 1000)
submission_request['wb_fields']['Sun'] = unicode("B" * 1000 * 1000)
submission_request['finalize'] = True
It works! but, is what we want ?
from globaleaks.
Implemented validator for Storm, in:
https://github.com/globaleaks/GLBackend/commit/42e3b277d49bb2a1f99bd908195bfe8bb5da6910 and tested.
now there are three hardcoded limits:
- the "name" fields need to be > than 0 and < than 128
- the "description" fiels need to be < than 1024
- all the unicode values, inside a dict or directly in the DB, had a limit of 2048
Those limits are written in settings.py, and checked before save in the DB a certain value.
from globaleaks.
Related Issues (20)
- Accessibility: Notes for new interface version (try.globaleaks.org) HOT 5
- Multiple audio questions issue HOT 9
- Password only valid for a single session HOT 2
- I have received a number (3) odd reports. These reports cause a DB-API IntegrityError and I receive 60 or so emails with error reports. HOT 1
- Ubuntu "Network unreachable" - Let's Encrypt renewal failure - After Globaleaks update the system not work HOT 4
- Potential Log issue - whistlebloser seems to log in very often HOT 2
- Expiration date change only applied to new reports HOT 3
- custom route for sites instead of the id HOT 2
- Ability to disable Account Recovery Key – Increased focus on 2FA HOT 1
- Internal server error when exporting and importing questionnaire on same instance HOT 5
- Sending notification mails via Globaleaks SMTP seems to fail on the ".consulting" TLD HOT 4
- When exporting a report the various dates within the report (e.g. calendar entries, time stamps) may differentiate from what the recipient sees. HOT 3
- The whistleblower login key code box in the submissions and individual context page has disappeared HOT 5
- Improvements for analyst role HOT 1
- Can't send mails with internal SMTP server HOT 1
- Contact details of Whistleblower can not be masked HOT 1
- Custom css and initialization is not executed when using relative paths, www.domain.com/myglobaleaks HOT 2
- Service failed to start after ubuntu update HOT 11
- Backups HOT 1
- Info text when hovering for private/public/only recipients-channels HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from globaleaks.