Bug #532
Email validation weakness
| Status: | Closed | Start date: | 11/13/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Tom Moore | % Done: | 100% |
|
| Category: | Registration | |||
| Target version: | 1.4.10 | |||
| Reproducibility: | Always | Database Type: | ||
| Reported In MyBB Version: | 1.4.9 | Database Version: | ||
| PHP Version: | SQA assignments: | |||
| Browser: |
Description
Hi,
You know that these emails are not valid:
test@test..
test@test.-
test@test....com
But users can disable JavaScript and try to register with these emails.
Suggested solution:
Search "inc/functions.php" for this line (located in "validate_email_format" function. line 4697 in MyBB 1.4.9):
return preg_match("/^[a-zA-Z0-9&*+\-_.{}~^\?=\/]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9.-]+$/si", $email);
And replace it with below code (i edited it a little):
return preg_match("/^[a-zA-Z0-9&*+\-_.{}~^\?=\/]+@[a-zA-Z0-9-]+\.([a-zA-Z0-9-]+\.)*[a-zA-Z]{2,6}$/si", $email);
Associated revisions
Fixes Email validation weakness (fixes:532)
History
Updated by Ryan Gordon about 2 years ago
You're regex would not work. The limitation of 6 characters would illegitimately reject some TLD's. View the ICANN Top-level domain name list: http://data.iana.org/TLD/tlds-alpha-by-domain.txt
Apart from making the maximum TLD length longer, I would also put that regex through more testing before implementing it.
Updated by Ryan Gordon about 2 years ago
- Category set to Registration
- Status changed from New to Assigned
- Assignee set to Tom Moore
- Target version set to 1.4.10
Updated by Tom Moore about 2 years ago
There's not a single line regex that will truely validate an email address. The only way to get a true check is to split things up and verify the username, domain and TLD seperately. In PHP > 5.2, the filter_var function is the best option I've worked with.
Saeed's regex would be OK if the limit was increased to 18 to provide support for the longest one on the list or keep it at 6 to meet the common ones. Either way, the only option here is a compromise. In MyBB 2, there should be more options for us to choose from when validating emails...
Updated by Ryan Gordon about 2 years ago
Basically I think we should keep the same regex except make sure it's an alpha numeric (or the dash [-]) TLD that is at least 2 characters or more.
Updated by Tom Moore about 2 years ago
return preg_match("/^[a-zA-Z0-9&*+\-_.{}~^\?=\/]+@[a-zA-Z0-9-]+\.([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]{2,}$/si", $email);
The examples in the description will fail with the above regex, but will allow alphanumeric (with dash) TLDs and domains.
Updated by Ryan Gordon about 2 years ago
Tom Moore wrote:
[...]
The examples in the description will fail with the above regex, but will allow alphanumeric (with dash) TLDs and domains.
Looks awesome, that's exactly what I was looking for!
Updated by Tom Moore about 2 years ago
- Status changed from Assigned to Resolved
- % Done changed from 0 to 100
Applied in changeset r4534.
Updated by Michael Schlechtinger about 2 years ago
- Status changed from Resolved to Closed