Make e-mail sanity check more precise (#20991)

For security reasons, all e-mail addresses starting with
non-alphanumeric characters were rejected. This is too broad and rejects
perfectly valid e-mail addresses. Only leading hyphens should be
rejected -- in all other cases e-mail address specification should
follow RFC 5322.

Co-authored-by: Andreas Fischer <_@ndreas.de>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
pull/21390/head^2
Andreas Fischer 2022-10-12 04:44:09 +02:00 committed by GitHub
parent b5a54f03a2
commit 9862936ed3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 20 deletions

View File

@ -41,6 +41,7 @@ func (err ErrEmailCharIsNotSupported) Error() string {
} }
// ErrEmailInvalid represents an error where the email address does not comply with RFC 5322 // ErrEmailInvalid represents an error where the email address does not comply with RFC 5322
// or has a leading '-' character
type ErrEmailInvalid struct { type ErrEmailInvalid struct {
Email string Email string
} }
@ -134,9 +135,7 @@ func ValidateEmail(email string) error {
return ErrEmailCharIsNotSupported{email} return ErrEmailCharIsNotSupported{email}
} }
if !(email[0] >= 'a' && email[0] <= 'z') && if email[0] == '-' {
!(email[0] >= 'A' && email[0] <= 'Z') &&
!(email[0] >= '0' && email[0] <= '9') {
return ErrEmailInvalid{email} return ErrEmailInvalid{email}
} }

View File

@ -281,23 +281,25 @@ func TestEmailAddressValidate(t *testing.T) {
`first~last@iana.org`: nil, `first~last@iana.org`: nil,
`first;last@iana.org`: user_model.ErrEmailCharIsNotSupported{`first;last@iana.org`}, `first;last@iana.org`: user_model.ErrEmailCharIsNotSupported{`first;last@iana.org`},
".233@qq.com": user_model.ErrEmailInvalid{".233@qq.com"}, ".233@qq.com": user_model.ErrEmailInvalid{".233@qq.com"},
"!233@qq.com": user_model.ErrEmailInvalid{"!233@qq.com"}, "!233@qq.com": nil,
"#233@qq.com": user_model.ErrEmailInvalid{"#233@qq.com"}, "#233@qq.com": nil,
"$233@qq.com": user_model.ErrEmailInvalid{"$233@qq.com"}, "$233@qq.com": nil,
"%233@qq.com": user_model.ErrEmailInvalid{"%233@qq.com"}, "%233@qq.com": nil,
"&233@qq.com": user_model.ErrEmailInvalid{"&233@qq.com"}, "&233@qq.com": nil,
"'233@qq.com": user_model.ErrEmailInvalid{"'233@qq.com"}, "'233@qq.com": nil,
"*233@qq.com": user_model.ErrEmailInvalid{"*233@qq.com"}, "*233@qq.com": nil,
"+233@qq.com": user_model.ErrEmailInvalid{"+233@qq.com"}, "+233@qq.com": nil,
"/233@qq.com": user_model.ErrEmailInvalid{"/233@qq.com"}, "-233@qq.com": user_model.ErrEmailInvalid{"-233@qq.com"},
"=233@qq.com": user_model.ErrEmailInvalid{"=233@qq.com"}, "/233@qq.com": nil,
"?233@qq.com": user_model.ErrEmailInvalid{"?233@qq.com"}, "=233@qq.com": nil,
"^233@qq.com": user_model.ErrEmailInvalid{"^233@qq.com"}, "?233@qq.com": nil,
"`233@qq.com": user_model.ErrEmailInvalid{"`233@qq.com"}, "^233@qq.com": nil,
"{233@qq.com": user_model.ErrEmailInvalid{"{233@qq.com"}, "_233@qq.com": nil,
"|233@qq.com": user_model.ErrEmailInvalid{"|233@qq.com"}, "`233@qq.com": nil,
"}233@qq.com": user_model.ErrEmailInvalid{"}233@qq.com"}, "{233@qq.com": nil,
"~233@qq.com": user_model.ErrEmailInvalid{"~233@qq.com"}, "|233@qq.com": nil,
"}233@qq.com": nil,
"~233@qq.com": nil,
";233@qq.com": user_model.ErrEmailCharIsNotSupported{";233@qq.com"}, ";233@qq.com": user_model.ErrEmailCharIsNotSupported{";233@qq.com"},
"Foo <foo@bar.com>": user_model.ErrEmailCharIsNotSupported{"Foo <foo@bar.com>"}, "Foo <foo@bar.com>": user_model.ErrEmailCharIsNotSupported{"Foo <foo@bar.com>"},
string([]byte{0xE2, 0x84, 0xAA}): user_model.ErrEmailCharIsNotSupported{string([]byte{0xE2, 0x84, 0xAA})}, string([]byte{0xE2, 0x84, 0xAA}): user_model.ErrEmailCharIsNotSupported{string([]byte{0xE2, 0x84, 0xAA})},