-
Bug
-
Resolution: Duplicate
-
Minor
-
None
-
3.1.3, 3.2
-
MOODLE_31_STABLE, MOODLE_32_STABLE
While reviewing the PHPmailer vuln internally, gavinporter (our Security Manager) noticed this:
-----------
The regex is mostly implemented in accordance with the RFC although it
doesn't support some of the weird things like spaces and quoted sections
that are theoretically possible.
However, it would allow invalid repeated strings of dots in the domain
part, such as me@test...com or me @test...
I would recommend changing the function from:
return (preg_match('#^[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
|
'(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)*'.
|
'@'.
|
'[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
|
'[-!\#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$#',
|
$address));
|
to:
return (preg_match('#^[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
|
'(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)*'.
|
'@'.
|
'[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+'.
|
'(\.[-!\#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+)+$#',
|
$address));
|
------
We think it's ok not to support the weird stuff - spaces, etc, but probably a good idea to make this change.
