Add sensible limit to user name inputs #2935

New Issue

Closed

opened 2026-02-05 05:47:22 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 05:47:22 +03:00

Owner

Copy Link

Originally created by @ehumphrey-payments on GitHub (Aug 2, 2022).

Describe the Bug

Alt title: Missing input validation on Name

When a user is editing their profile under the "Edit Profile" section, extremely long names are accepted by the system, even as long as 792 characters. This starts causing system issues for the logged-in user, who won't able to use the system anymore due to HTTP 500 errors. Doesn't seem to have any impact for other users.

Steps to Reproduce

1. Log in as any user. Ideally, have a backup admin user than can edit profiles.
2. From the user dropdown, select Edit Profile.
3. Under Name, enter these 231 characters:

AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA

4. Save your changes. The changes are saved successfully with an HTTP 200. The username change will be successful and show in the audit log.
5. BookStack will return an HTTP 500 error on every page.

Expected Behaviour

• The user does not get an HTTP 500 error when accessing BookStack.

Optional:

• Instead of being allowed to have an absurdly long name, the user receives an error when the new name length exceeds a certain length.
• Add the permission ability to disallow users from editing their own name or their own user as a whole
  • Particularly useful if the user's name is sourced from an SSO provider and therefore not requiring editing
• Allow maximum name length to be configurable

Screenshots or Additional Context

No response

Browser Details

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0

Exact BookStack Version

v22.06.2

PHP Version

7.4.26

Hosting Environment

• LinuxServer container on Ubuntu 22.04 LTS virtual machine
• LinuxServer MariaDB container
• Nginx 1.22 as reverse proxy

Originally created by @ehumphrey-payments on GitHub (Aug 2, 2022). ### Describe the Bug **Alt title: Missing input validation on Name** When a user is editing their profile under the "Edit Profile" section, extremely long names are accepted by the system, even as long as 792 characters. This starts causing system issues for the logged-in user, who won't able to use the system anymore due to HTTP 500 errors. Doesn't seem to have any impact for other users. ### Steps to Reproduce 1. Log in as any user. Ideally, have a backup admin user than can edit profiles. 2. From the user dropdown, select Edit Profile. 3. Under Name, enter these 231 characters: > AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA 4. Save your changes. The changes are saved successfully with an HTTP 200. The username change will be successful and show in the audit log. 5. BookStack will return an HTTP 500 error on every page. ### Expected Behaviour * The user does not get an HTTP 500 error when accessing BookStack. Optional: * Instead of being allowed to have an absurdly long name, the user receives an error when the new name length exceeds a certain length. * Add the permission ability to disallow users from editing their own name or their own user as a whole * Particularly useful if the user's name is sourced from an SSO provider and therefore not requiring editing * Allow maximum name length to be configurable ### Screenshots or Additional Context _No response_ ### Browser Details Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0 ### Exact BookStack Version v22.06.2 ### PHP Version 7.4.26 ### Hosting Environment * LinuxServer container on Ubuntu 22.04 LTS virtual machine * LinuxServer MariaDB container * Nginx 1.22 as reverse proxy

OVERLORD added the 🐛 Bug label 2026-02-05 05:47:22 +03:00

OVERLORD closed this issue 2026-02-05 05:47:23 +03:00

OVERLORD commented 2026-02-05 05:47:26 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2022):

Thanks for the report @ErikHumphrey, I agree the some extra length-validation could be useful here, outside of the database field length limitation.

In regards to the http 500 errors, do you have any information on these? Perhaps from any of the error logs in your stack.
During my testing I was not able to replicate such errors, even when using the linuxserver.io container setup.

@ssddanbrown commented on GitHub (Aug 4, 2022): Thanks for the report @ErikHumphrey, I agree the some extra length-validation could be useful here, outside of the database field length limitation. In regards to the http 500 errors, do you have any information on these? Perhaps from any of the [error logs](https://www.bookstackapp.com/docs/admin/debugging/#error-log-file) in your stack. During my testing I was not able to replicate such errors, even when using the linuxserver.io container setup.

OVERLORD commented 2026-02-05 05:47:32 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 9, 2022):

Limit set within commit 4209f27f1a. Still fairly high (100 chars) but don't want to go too low as don't want to break existing usages.

I'll assume the 500 was something else at play, and re-name then close this issue off.

@ssddanbrown commented on GitHub (Aug 9, 2022): Limit set within commit 4209f27f1acabfccff0c2dea08f8e151ed82144f. Still fairly high (100 chars) but don't want to go too low as don't want to break existing usages. I'll assume the 500 was something else at play, and re-name then close this issue off.

OVERLORD commented 2026-02-05 05:47:35 +03:00

Author

Owner

Copy Link

@ehumphrey-payments commented on GitHub (Aug 10, 2022):

Thanks! Pentester and myself tried to reproduce the issue on the same, old version recently and weren't able to either; sorry.

@ehumphrey-payments commented on GitHub (Aug 10, 2022): Thanks! Pentester and myself tried to reproduce the issue on the same, old version recently and weren't able to either; sorry.

OVERLORD commented 2026-02-05 05:47:39 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 10, 2022):

@ErikHumphrey No worries! Thanks for confirming though!

@ssddanbrown commented on GitHub (Aug 10, 2022): @ErikHumphrey No worries! Thanks for confirming though!

OVERLORD referenced this issue 2026-02-05 10:24:22 +03:00

[PR #2935] [MERGED] Allow to use DB tables prefix #6096

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2935