diff options
author | Andreas Fischer <boc@balanceofcowards.net> | 2022-10-12 04:44:09 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-11 22:44:09 -0400 |
commit | 9862936ed3f488896adb6ddc29eb25ef15185c41 (patch) | |
tree | 14aa474824129d69d8423254bcf6d07b72706983 /models/user | |
parent | b5a54f03a2045afae237f7bcb6eeb6e12f2c2ac5 (diff) | |
download | gitea-9862936ed3f488896adb6ddc29eb25ef15185c41.tar.gz gitea-9862936ed3f488896adb6ddc29eb25ef15185c41.zip |
Make e-mail sanity check more precise (#20991)
For security reasons, all e-mail addresses starting with
non-alphanumeric characters were rejected. This is too broad and rejects
perfectly valid e-mail addresses. Only leading hyphens should be
rejected -- in all other cases e-mail address specification should
follow RFC 5322.
Co-authored-by: Andreas Fischer <_@ndreas.de>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'models/user')
-rw-r--r-- | models/user/email_address.go | 5 | ||||
-rw-r--r-- | models/user/email_address_test.go | 36 |
2 files changed, 21 insertions, 20 deletions
diff --git a/models/user/email_address.go b/models/user/email_address.go index c931db9c16..d87b945706 100644 --- a/models/user/email_address.go +++ b/models/user/email_address.go @@ -41,6 +41,7 @@ func (err ErrEmailCharIsNotSupported) Error() string { } // ErrEmailInvalid represents an error where the email address does not comply with RFC 5322 +// or has a leading '-' character type ErrEmailInvalid struct { Email string } @@ -134,9 +135,7 @@ func ValidateEmail(email string) error { return ErrEmailCharIsNotSupported{email} } - if !(email[0] >= 'a' && email[0] <= 'z') && - !(email[0] >= 'A' && email[0] <= 'Z') && - !(email[0] >= '0' && email[0] <= '9') { + if email[0] == '-' { return ErrEmailInvalid{email} } diff --git a/models/user/email_address_test.go b/models/user/email_address_test.go index 471598c897..b9acaa1113 100644 --- a/models/user/email_address_test.go +++ b/models/user/email_address_test.go @@ -281,23 +281,25 @@ func TestEmailAddressValidate(t *testing.T) { `first~last@iana.org`: nil, `first;last@iana.org`: user_model.ErrEmailCharIsNotSupported{`first;last@iana.org`}, ".233@qq.com": user_model.ErrEmailInvalid{".233@qq.com"}, - "!233@qq.com": user_model.ErrEmailInvalid{"!233@qq.com"}, - "#233@qq.com": user_model.ErrEmailInvalid{"#233@qq.com"}, - "$233@qq.com": user_model.ErrEmailInvalid{"$233@qq.com"}, - "%233@qq.com": user_model.ErrEmailInvalid{"%233@qq.com"}, - "&233@qq.com": user_model.ErrEmailInvalid{"&233@qq.com"}, - "'233@qq.com": user_model.ErrEmailInvalid{"'233@qq.com"}, - "*233@qq.com": user_model.ErrEmailInvalid{"*233@qq.com"}, - "+233@qq.com": user_model.ErrEmailInvalid{"+233@qq.com"}, - "/233@qq.com": user_model.ErrEmailInvalid{"/233@qq.com"}, - "=233@qq.com": user_model.ErrEmailInvalid{"=233@qq.com"}, - "?233@qq.com": user_model.ErrEmailInvalid{"?233@qq.com"}, - "^233@qq.com": user_model.ErrEmailInvalid{"^233@qq.com"}, - "`233@qq.com": user_model.ErrEmailInvalid{"`233@qq.com"}, - "{233@qq.com": user_model.ErrEmailInvalid{"{233@qq.com"}, - "|233@qq.com": user_model.ErrEmailInvalid{"|233@qq.com"}, - "}233@qq.com": user_model.ErrEmailInvalid{"}233@qq.com"}, - "~233@qq.com": user_model.ErrEmailInvalid{"~233@qq.com"}, + "!233@qq.com": nil, + "#233@qq.com": nil, + "$233@qq.com": nil, + "%233@qq.com": nil, + "&233@qq.com": nil, + "'233@qq.com": nil, + "*233@qq.com": nil, + "+233@qq.com": nil, + "-233@qq.com": user_model.ErrEmailInvalid{"-233@qq.com"}, + "/233@qq.com": nil, + "=233@qq.com": nil, + "?233@qq.com": nil, + "^233@qq.com": nil, + "_233@qq.com": nil, + "`233@qq.com": nil, + "{233@qq.com": nil, + "|233@qq.com": nil, + "}233@qq.com": nil, + "~233@qq.com": nil, ";233@qq.com": user_model.ErrEmailCharIsNotSupported{";233@qq.com"}, "Foo <foo@bar.com>": user_model.ErrEmailCharIsNotSupported{"Foo <foo@bar.com>"}, string([]byte{0xE2, 0x84, 0xAA}): user_model.ErrEmailCharIsNotSupported{string([]byte{0xE2, 0x84, 0xAA})}, |