Report an error for too-long form fields

Notify the user if any form field exceeds its maximum length. This shouldn't happen in regular use since the fields have a suitable max length set in the input HTML forms, but a manually-constructed POST could do it. Report a (terse) error rather than failing with an internal server error (which also bothers the admin with an email).
salilab · Jul 21, 2020 · 5e709b8 · 5e709b8
1 parent f68dca7
commit 5e709b8
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 6 deletions.
diff --git a/account/account/__init__.py b/account/account/__init__.py
@@ -98,6 +98,10 @@ def profile():
         if not all((form['first_name'], form['last_name'],
                     form['institution'], form['email'])):
             error = "Please fill out all required form fields."
+        elif any((form[x] and len(form[x]) > 40)
+                 for x in ('first_name', 'last_name', 'institution',
+                           'email', 'modeller_key')):
+            error = "Form field too long."
         else:
             dbh = saliweb.frontend.get_db()
             cur = dbh.cursor()

diff --git a/account/account/util.py b/account/account/util.py
@@ -65,6 +65,11 @@ def create_account():
     if not all((f['user_name'], f['first_name'], f['last_name'],
                 f['institution'], f['email'])):
         return "Please fill out all required form fields."
+    elif (len(f['user_name']) > 25
+          or any((f[x] and len(f[x]) > 40)
+                 for x in ('first_name', 'last_name', 'institution',
+                           'email', 'modeller_key'))):
+        return "Form field too long."
     dbh = saliweb.frontend.get_db()
     cur = dbh.cursor()
     cur.execute('SELECT user_name FROM servers.users WHERE user_name=%s',
@@ -109,8 +114,8 @@ def update_login_cookie(cur, user_name, permanent):
 
 def check_password(password, passwordcheck):
     """Do basic sanity checks on a password entered in a form"""
-    if len(password) < 8:
-        return "Passwords should be at least 8 characters long."
+    if len(password) < 8 or len(password) > 25:
+        return "Passwords should be between 8 and 25 characters long."
     if password != passwordcheck:
         return "Password check failed. The two passwords are not identical."
 

diff --git a/account/test/test_main.py b/account/test/test_main.py
@@ -122,7 +122,7 @@ def test_register_short_password():
     c = account.app.test_client()
     rv = c.post('/register', data={'academic': 'on', 'password': 'short',
                                    'passwordcheck': 'short'})
-    r = re.compile(b'Error:.*Passwords should be at least 8 characters long.*'
+    r = re.compile(b'Error:.*Passwords should be between 8 and 25 characters.*'
                    b'Create an Account',
                    re.DOTALL | re.MULTILINE)
     assert r.search(rv.data)
@@ -163,7 +163,7 @@ def test_register_existing_user():
     data = {'academic': 'on', 'password': '12345678',
             'passwordcheck': '12345678', 'user_name': 'authuser',
             'first_name': 'foo', 'last_name': 'foo', 'institution': 'foo',
-            'email': 'foo'}
+            'email': 'foo', 'modeller_key': ''}
     rv = c.post('/register', data=data)
     r = re.compile(b'Error:.*User name authuser already exists.*'
                    b'Create an Account',
@@ -250,6 +250,24 @@ def test_profile_missing_fields():
         assert r.search(rv.data)
 
 
+def test_profile_long_fields():
+    """Test edit-profile failure (too-long fields)"""
+    c = account.app.test_client()
+    utils.set_servers_cookie(c, 'authuser', 'authpw00')
+    fields = ('first_name', 'last_name',
+              'institution', 'email', 'modeller_key')
+    for field in fields:
+        data = {}
+        for f in fields:
+            data[f] = 'foo'
+        data[field] = 'x' * 80
+        rv = c.post('/profile', data=data, base_url='https://localhost')
+        r = re.compile(b'Edit Profile.*'
+                       b'Error:.*Form field too long.*',
+                       re.DOTALL | re.MULTILINE)
+        assert r.search(rv.data)
+
+
 def test_profile_ok():
     """Test successful edit-profile"""
     c = account.app.test_client()
@@ -303,7 +321,20 @@ def test_password_too_short():
             'passwordcheck': '1234'}
     rv = c.post('/password', data=data, base_url='https://localhost')
     r = re.compile(b'Change Password.*'
-                   b'Error:.*Passwords should be at least 8 characters',
+                   b'Error:.*Passwords should be between 8 and 25 characters',
+                   re.DOTALL | re.MULTILINE)
+    assert r.search(rv.data)
+
+
+def test_password_too_long():
+    """Test change-password failure (new password too long)"""
+    c = account.app.test_client()
+    utils.set_servers_cookie(c, 'authuser', 'authpw00')
+    data = {'oldpassword': 'authpw00', 'newpassword': 'x' * 30,
+            'passwordcheck': 'x' * 30}
+    rv = c.post('/password', data=data, base_url='https://localhost')
+    r = re.compile(b'Change Password.*'
+                   b'Error:.*Passwords should be between 8 and 25 characters',
                    re.DOTALL | re.MULTILINE)
     assert r.search(rv.data)
 
@@ -405,7 +436,7 @@ def test_reset_link_password_fail():
     rv = c.post('/reset/2/unauthkey',
                 data={'password': 'abc', 'passwordcheck': 'abc'})
     r = re.compile(b'Password Reset.*'
-                   b'Error:.*Passwords should be at least 8 characters long.*'
+                   b'Error:.*Passwords should be between 8 and 25 characters.*'
                    b'Choose Password.*'
                    b'Re-enter Password.*',
                    re.DOTALL | re.MULTILINE)