Here's the patch from the security team to prevent DoS on filter_url().

From linclark (Discovered by):
"Today QA created a piece of content on our D7 site in order to test text-wrapping for extremely long words. In the body, he created a since word easily in the thousands of characters (I didn't count). After saving that, the admin/content page would no longer load as it would hit the PHP max execution time limit. I changed it to 60 seconds and it was still hitting that limit.

A developer then traced the bug to _filter_url:

After a little more investigation, the _filter_url() function is where all of the time is being used... Granted, it is invalid content but still a DoS vulnerability."

Please give commit credit to chx, jwineinger, and linclark. See http://stackoverflow.com/questions/386294/maximum-length-of-a-valid-emai... for some background. Private tracker #69603

Files: 
CommentFileSizeAuthor
#10 drupal-1558468-10-revert.patch1.74 KBtim.plunkett
FAILED: [[SimpleTest]]: [MySQL] 39,068 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#10 drupal-1558468-10.patch1.23 KBtim.plunkett
PASSED: [[SimpleTest]]: [MySQL] 39,063 pass(es).
[ View ]
#6 long-email-with-tests-1558468-6-test-only.patch1.25 KBBerdir
FAILED: [[SimpleTest]]: [MySQL] 36,316 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#6 long-email-with-tests-1558468-6.patch1.77 KBBerdir
PASSED: [[SimpleTest]]: [MySQL] 36,294 pass(es).
[ View ]
#3 long-email-with-tests-1558468-3-test-only.patch1.09 KBBerdir
FAILED: [[SimpleTest]]: [MySQL] 36,297 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#3 long-email-with-tests-1558468-3.patch1.61 KBBerdir
FAILED: [[SimpleTest]]: [MySQL] 36,308 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#1 long-email-with-tests-1558468-1-test-only.patch1.08 KBBerdir
PASSED: [[SimpleTest]]: [MySQL] 36,300 pass(es).
[ View ]
#1 long-email-with-tests-1558468-1.patch1.6 KBBerdir
PASSED: [[SimpleTest]]: [MySQL] 36,300 pass(es).
[ View ]
69603-7-D7-do-not-test.patch515 byteswebchick

Comments

Status:Active» Needs review
StatusFileSize
new1.6 KB
PASSED: [[SimpleTest]]: [MySQL] 36,300 pass(es).
[ View ]
new1.08 KB
PASSED: [[SimpleTest]]: [MySQL] 36,300 pass(es).
[ View ]

Ported and working on adding a test. Completely untested, let's see how this goes.

Hello,

If you want to insert long url then you can shorten them by using bitly (https://bitly.com/), It may solve the problem of long url.

StatusFileSize
new1.61 KB
FAILED: [[SimpleTest]]: [MySQL] 36,308 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
new1.09 KB
FAILED: [[SimpleTest]]: [MySQL] 36,297 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

both passed? Well, that's not what should have happened... Looks like it's because I forgot to add the mailto:.

@viswanath_polaki: This is not making long mails work, this is to prevent a security issue when there is one.

Status:Needs review» Needs work

The last submitted patch, long-email-with-tests-1558468-3.patch, failed testing.

Shouldn't the entire length of the email address be less than or equal to 254, rather than just the part before the @ sign?

StatusFileSize
new1.77 KB
PASSED: [[SimpleTest]]: [MySQL] 36,294 pass(es).
[ View ]
new1.25 KB
FAILED: [[SimpleTest]]: [MySQL] 36,316 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

@akamustang, Yeah, looks like it, after reading the referenced documentation. It looks like the whole thing can be up to 254 characters and the local part only 64. Interestingly, $domain is actually limited to 64.

Anyway, here are tests for the current behavior of the code.

Status:Needs work» Needs review

Status:Needs review» Reviewed & tested by the community

Thanks, looks good to me.

Please note the additional commit credits in the OP.

Title:SA-CORE-2012-002 - Denial of Service SA-CORE-2012-002 - Denial of Service (D7 test coverage)
Version:8.x-dev» 7.x-dev
Category:bug» task
Priority:Critical» Major
Status:Reviewed & tested by the community» Patch (to be ported)
Issue tags:+Novice, +needs backport to D7

Committed/pushed to 8.x, we should backport the tests to 7.x, tagging novice for the backport.

Status:Patch (to be ported)» Needs review
StatusFileSize
new1.23 KB
PASSED: [[SimpleTest]]: [MySQL] 39,063 pass(es).
[ View ]
new1.74 KB
FAILED: [[SimpleTest]]: [MySQL] 39,068 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

The first patch reverts the fix in D7 to show the tests fail, the second is the tests and the one to commit.

Status:Needs review» Reviewed & tested by the community

Yup, that's the same test. If it was good enough for D8 (despite the double blank lines), then I'll play along and say it's good enough for D7 too.

Though I wonder if the 500+ character array key might have been overkill ... "person@example.com or mailto:person2@example.com or (254-character-username)@example.com but not (255-character-username)@example.com" may have been enough. ;)

Status:Reviewed & tested by the community» Fixed

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue summary:View changes

x