Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57567

validate_email incorrectly allows repeated dots.

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE

      Description

      While reviewing the PHPmailer vuln internally, Gavin Porter (our Security Manager) noticed this:

      -----------
      The regex is mostly implemented in accordance with the RFC although it
      doesn't support some of the weird things like spaces and quoted sections
      that are theoretically possible.

      However, it would allow invalid repeated strings of dots in the domain
      part, such as me@test...com or me @test...

      I would recommend changing the function from:

          return (preg_match('#^[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
                       '(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)*'.
                        '@'.
                        '[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
                        '[-!\#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$#',
                        $address));
      

      to:

          return (preg_match('#^[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
                       '(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)*'.
                        '@'.
                        '[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
                        '(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)+$#',
                        $address));
      

      ------

      We think it's ok not to support the weird stuff - spaces, etc, but probably a good idea to make this change.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              danmarsden Dan Marsden
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: