Flag message length is not validated at all #1289
Assignees
Labels
area: ruby
Changes to server-side code
complexity: average
Not particularly hard, not particularly trivial.
priority: low
type: bug
Something isn't working
Comments
Oaphi
added
area: ruby
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Length of flag messages is not validated server-side (although the minimum length [1 char ATTOW] is validated client-side). As a result, flaggers can submit up to 65 536 characters.
To Reproduce
Steps to reproduce the behavior:
Include as many characters as you like.
Observe the flag successfully being submitted or a raw DB error when over 65536 chars.
As per prior discussion, the upper limit should be configurable per-community with 1000 chars as the default. Let's also make the lower limit configurable (it's hardcoded right now) with the default set to 1 (for backwards compatibility).
The text was updated successfully, but these errors were encountered: