From 14e7866745222f8c3c41a69eedf629f653a2cb2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 24 Feb 2020 16:58:51 -0500
Subject: [PATCH] fix: #8179, limit length of location/website/fullname, check
 grouptitle

---
 src/user/profile.js | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/user/profile.js b/src/user/profile.js
index ac2e7fbcf8..0e135f5877 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -111,6 +111,9 @@ module.exports = function (User) {
 		if (!data.website) {
 			return;
 		}
+		if (data.website.length > 255) {
+			throw new Error('[[error:invalid-website]]');
+		}
 		await User.checkMinReputation(callerUid, data.uid, 'min:rep:website');
 	}
 
@@ -136,13 +139,13 @@ module.exports = function (User) {
 	}
 
 	function isFullnameValid(data) {
-		if (data.fullname && validator.isURL(data.fullname)) {
+		if (data.fullname && (validator.isURL(data.fullname) || data.fullname.length > 255)) {
 			throw new Error('[[error:invalid-fullname]]');
 		}
 	}
 
 	function isLocationValid(data) {
-		if (data.location && validator.isURL(data.location)) {
+		if (data.location && (validator.isURL(data.location) || data.location.length > 255)) {
 			throw new Error('[[error:invalid-location]]');
 		}
 	}
@@ -159,8 +162,27 @@ module.exports = function (User) {
 	}
 
 	function isGroupTitleValid(data) {
-		if (data.groupTitle === 'registered-users' || groups.isPrivilegeGroup(data.groupTitle)) {
-			throw new Error('[[error:invalid-group-title]]');
+		function checkTitle(title) {
+			if (title === 'registered-users' || groups.isPrivilegeGroup(title)) {
+				throw new Error('[[error:invalid-group-title]]');
+			}
+		}
+		if (!data.groupTitle) {
+			return;
+		}
+		let groupTitles = [];
+		if (validator.isJSON(data.groupTitle)) {
+			groupTitles = JSON.parse(data.groupTitle);
+			if (!Array.isArray(groupTitles)) {
+				throw new Error('[[error:invalid-group-title]]');
+			}
+			groupTitles.forEach(title => checkTitle(title));
+		} else {
+			groupTitles = [data.groupTitle];
+			checkTitle(data.groupTitle);
+		}
+		if (!meta.config.allowMultipleBadges && groupTitles.length > 1) {
+			data.groupTitle = JSON.stringify(groupTitles[0]);
 		}
 	}