From e61a6238f2d49237807d76820080dccd272e6c29 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Tue, 14 Jul 2015 09:55:41 +1000
Subject: [PATCH] SECURITY: Remove email validation check bypass

 - Increase size of email column to varchar(513)
 - Give error message on signup when email is too large

Overall impact: Low, allows signups from blocked domains. Main risk is increased spam.
---
 app/controllers/users_controller.rb                    | 3 +++
 config/locales/server.en.yml                           | 1 +
 db/migrate/20150713203955_enlarge_users_email_field.rb | 8 ++++++++
 3 files changed, 12 insertions(+)
 create mode 100644 db/migrate/20150713203955_enlarge_users_email_field.rb

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index ad0b3699fc..69c285bc2f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -231,6 +231,9 @@ class UsersController < ApplicationController
       return fail_with("login.password_too_long")
     end
 
+    if params[:email] && params[:email].length > 254 + 1 + 253
+      return fail_with("login.email_too_long")
+    end
     user = User.new(user_params)
 
     # Handle custom fields
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 6e0d42b25d..db77d16f6e 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1287,6 +1287,7 @@ en:
     omniauth_error_unknown: "Something went wrong processing your log in, please try again."
     new_registrations_disabled: "New account registrations are not allowed at this time."
     password_too_long: "Passwords are limited to 200 characters."
+    email_too_long: "The email you provided is too long. Mailbox names must be no more than 254 characters, and domain names must be no more than 253 characters."
     missing_user_field: "You have not completed all the user fields"
     close_window: "Authentication is complete. Close this window to continue."
 
diff --git a/db/migrate/20150713203955_enlarge_users_email_field.rb b/db/migrate/20150713203955_enlarge_users_email_field.rb
new file mode 100644
index 0000000000..15856c0f04
--- /dev/null
+++ b/db/migrate/20150713203955_enlarge_users_email_field.rb
@@ -0,0 +1,8 @@
+class EnlargeUsersEmailField < ActiveRecord::Migration
+  def up
+    change_column :users, :email, :string, :limit => 513
+  end
+  def down
+    change_column :users, :email, :string, :limit => 128
+  end
+end