Suggestion: set an upper limit on the length of an media item's title.
Submitted by cli..@..ba.org
Assigned to cli..@..ba.org
Link to original bug (#717497)
Description
---- Reported by clinton@yorba.org 2011-02-14 19:30:00 -0800 ----
Original Redmine bug id: 3196
Original URL: http://redmine.yorba.org/issues/3196
Searchable id: yorba-bug-3196
Original author: Clinton Rogers
Original description:
It's possible to enter some insanely long titles, currently, and, under the right circumstances, this can lead to untoward behaviour. To see the problems:
Import any photo or video.
Copy a very long block of text (for the purposes of this bug, I used 65536 bytes of text gotten from a Lorem Ipsum generator) and paste it into the title,
Observe the results.
Results vary, but can range from causing Compiz to crash to locking up the X window system and keyboard input completely. Although such a long title is clearly not an expected use case, this is felt to be critical because a malicious user on a multi-user machine could use this to deny service.
---- Additional Comments From shotwell-maint@gnome.bugs 2013-05-01 11:39:00 -0700 ----
History
Comment 1
Updated by Adam Dingle almost 3 years ago
- Target version set to 0.9
- Priority changed from Urgent to High
Thanks for the stress testing. :) Not sure that we're at all concerned about denial of service on multi-user machines, but it would still be nice to tighten this up.
Comment 2
Updated by Clinton Rogers over 2 years ago
- Status changed from Open to Review
- Assignee changed from Anonymous to Clinton Rogers
If no one objects, I propose setting a length limit of 4096 characters.
Comment 3
Updated by Adam Dingle over 2 years ago
Sounds fine.
Comment 4
Updated by Clinton Rogers over 2 years ago
Proposed patch submitted via email.
Comment 5
Updated by Clinton Rogers over 2 years ago
Revised patch submitted via email, awaiting acceptance.
Comment 6
Updated by Clinton Rogers over 2 years ago
r2718
Comment 7
Updated by Clinton Rogers over 2 years ago
- Status changed from Review to 5
- Resolution set to fixed
- % Done changed from 0 to 100
Comment 8
Updated by Charles Lindsay 7 months ago
- Status changed from 5 to Fixed
--- Bug imported by chaz@yorba.org 2013-11-25 21:51 UTC ---
This bug was previously known as bug 3196 at http://redmine.yorba.org/show_bug.cgi?id=3196
Unknown Component Using default product and component set in Parameters Unknown milestone "unknown in product shotwell. Setting to default milestone for this product, "---". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Version: 0.9
Resolution: RESOLVED FIXED