From 69386c52ff846c11867783244f3c9c9109f5e1e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Byron=20Jones=20=E2=80=B9=3Aglob=E2=80=BA?=
 <glob@mozilla.com>
Date: Thu, 10 Sep 2015 13:30:04 -0400
Subject: [PATCH] Bug 1202447: [SECURITY] The email address is not properly
 validated during registration if longer than 127 characters
 r=LpSolit,a=justdave

---
 Bugzilla/Util.pm | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 670f5f8f2..037b38648 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -676,12 +676,18 @@ sub validate_email_syntax {
     # RFC 2822 section 2.1 specifies that email addresses must
     # be made of US-ASCII characters only.
     # Email::Address::addr_spec doesn't enforce this.
-    my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/);
-    if ($ret) {
+    # We set the max length to 127 to ensure addresses aren't truncated when
+    # inserted into the tokens.eventdata field.
+    if ($addr =~ /$match/
+        && $email !~ /\P{ASCII}/
+        && $email =~ /^$addr_spec$/
+        && length($email) <= 127)
+    {
         # We assume these checks to suffice to consider the address untainted.
         trick_taint($_[0]);
+        return 1;
     }
-    return $ret ? 1 : 0;
+    return 0;
 }
 
 sub check_email_syntax {
-- 
2.24.1