SECURITY: Remove email validation check bypass

- Increase size of email column to varchar(513)
 - Give error message on signup when email is too large

Overall impact: Low, allows signups from blocked domains. Main risk is increased spam.

app/controllers/users_controller.rb

@@ -230,6 +230,10 @@ class UsersController < ApplicationController
       return
     end
 
+    if params[:email] && params[:email].length > 254 + 1 + 253
+      return fail_with("login.email_too_long")
+    end
+
     user = User.new(user_params)
 
     # Handle custom fields

config/locales/server.en.yml

@@ -1273,6 +1273,9 @@ en:
     omniauth_error_unknown: "Something went wrong processing your log in, please try again."
     new_registrations_disabled: "New account registrations are not allowed at this time."
     password_too_long: "Passwords are limited to 200 characters."
+
+    email_too_long: "The email you provided is too long. Mailbox names must be no more than 254 characters, and domain names must be no more than 253 characters."
+    reserved_username: "That username is not allowed."
     missing_user_field: "You have not completed all the user fields"
     close_window: "Authentication is complete. Close this window to continue."
 

db/migrate/20150713203955_enlarge_users_email_field.rb

@@ -0,0 +1,8 @@
+class EnlargeUsersEmailField < ActiveRecord::Migration
+  def up
+    change_column :users, :email, :string, :limit => 513
+  end
+  def down
+    change_column :users, :email, :string, :limit => 128
+  end
+end