Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57567

validate_email incorrectly allows repeated dots.

    Details

    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE

      Description

      While reviewing the PHPmailer vuln internally, Gavin Porter (our Security Manager) noticed this:

      -----------
      The regex is mostly implemented in accordance with the RFC although it
      doesn't support some of the weird things like spaces and quoted sections
      that are theoretically possible.

      However, it would allow invalid repeated strings of dots in the domain
      part, such as me@test...com or me @test...

      I would recommend changing the function from:

          return (preg_match('#^[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
                       '(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)*'.
                        '@'.
                        '[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
                        '[-!\#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$#',
                        $address));
      

      to:

          return (preg_match('#^[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
                       '(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)*'.
                        '@'.
                        '[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
                        '(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)+$#',
                        $address));
      

      ------

      We think it's ok not to support the weird stuff - spaces, etc, but probably a good idea to make this change.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              poltawski Dan Poltawski added a comment -

              Another related case it accepts foo@8.8.8.8 - but accoridng to https://tools.ietf.org/html/rfc2822#section-3.4.1 that should be foo@[8.8.8.8]

              (I would just not let it accept any ip literals as they are very unlikely to get delivered/accepted)

              Show
              poltawski Dan Poltawski added a comment - Another related case it accepts foo@8.8.8.8 - but accoridng to https://tools.ietf.org/html/rfc2822#section-3.4.1 that should be foo@ [8.8.8.8] (I would just not let it accept any ip literals as they are very unlikely to get delivered/accepted)

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated: