From c0f699e65544f3647f01b937baf9626a4fbdd52b Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Tue, 3 Nov 2020 09:53:49 -0500 Subject: [PATCH] fix: disallow registration attempts with password length > 4096 This is a stopgap measure for v1.15.0 --- src/controllers/authentication.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js index a14faf2758..27b3d63cf6 100644 --- a/src/controllers/authentication.js +++ b/src/controllers/authentication.js @@ -94,6 +94,10 @@ authenticationController.register = async function (req, res) { throw new Error('[[user:change_password_error_match]]'); } + if (userData.password.length > 4096) { + throw new Error('[[error:password-too-long]]'); + } + user.isPasswordValid(userData.password); res.locals.processLogin = true; // set it to false in plugin if you wish to just register only