-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict email address validation #17688
Conversation
What about a email address like |
Just a thought:
|
If we want to follow RFC, the rules are more complex. https://stackoverflow.com/questions/2049502/what-characters-are-allowed-in-an-email-address
|
Nevermind, I see the code does that, but it's probably deemed too lax. |
1270d9c
to
d7293bb
Compare
New test may be failing. |
|
d7293bb
to
c4b9235
Compare
Parsing email addresses with regexps seems like a bad idea.
Since 2012 you can include characters above U+007f if they're encoded as UTF-8. Why are we doing this? Why not just parse the email address with |
The invisible unicode characters could pass |
yes. Just using email verification links is a saner solution to be honest |
c4b9235
to
d9f335c
Compare
144a5e3
to
654acf3
Compare
c847923
to
1210467
Compare
Co-authored-by: silverwind <[email protected]>
…t/mail.ParseAddress don't support it
1210467
to
b523619
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tests passed localy
-> #19085 |
Co-authored-by: Lunny Xiao <[email protected]>
* giteaofficial/main: Frontport Changelogs (go-gitea#19088) Restrict email address validation (go-gitea#17688) Fix lfs bug (go-gitea#19072)
Even with #17688 email addresses that contain an initial `-` may still be present in the db and it may in future still be possible to imagine a situation whereby initial `-` are repermitted. This PR simply updates the documentation to warn users to set their SENDMAIL_ARGS with a terminal `--` to prevent this possibility email addresses being interpreted as options. Signed-off-by: Andrew Thornton <[email protected]>
This didn't follow the RFC but it's a subset of that. I think we should narrow the allowed chars at first and discuss more possibility in future PRs.
Even with go-gitea#17688 email addresses that contain an initial `-` may still be present in the db and it may in future still be possible to imagine a situation whereby initial `-` are repermitted. This PR simply updates the documentation to warn users to set their SENDMAIL_ARGS with a terminal `--` to prevent this possibility email addresses being interpreted as options. Signed-off-by: Andrew Thornton <[email protected]>
This didn't follow the RFC but it's a subset of that. I think we should narrow the allowed chars at first and discuss more possibility in future PRs.
Below are the rules to validate an email.
[0-9a-zA-Z.!#$%&'*+-/=?^_
{|}~@]`.[0-9a-zA-Z]
.@
should only contains[0-9a-zA-Z.]
charactors.