Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#3579] - E-Mail validation code still wrong.

?
avatar Evi1M4chine
Evi1M4chine
10 May 2014

OUTDATED:

Hello.

I just had to use a site made with Joomla (https://www.openecard.org/de/kontakt), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.

Here’s the code: https://www.openecard.org/media/system/js/validate.js

The handler in question uses this regex:

/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/

This could hardly be worse.

In reality, the name part, at least, allows just about anything in there: http://en.wikipedia.org/wiki/Email_address#Syntax

Here’s a list of valid e-mail adresses. Most of which make your regex fall over: http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses

In this concrete case, it fails to validate Google adresses with a + in them. Like user.name+sometoken@gmail.com.

This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter myname+dumbsite@gmail.com into a form at dumbsite.com, and some strange site like smartsite.com sends you an e-mail, it will still go to myname@gmail.com, but you’ll see myname+dumbsite@gmail.com in the To: field, and know it actually came from dumbsite.com, and/or they gave smartsite.com your e-mail adress.

But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges a-z and A-Z.

EDIT:

I just noticed that that site is rather outdated.

But the code is still wrong, since the current regex

/^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/

still is a rather small subset of valid adressses. Try validating a Chinese adress with a local punctuation mark with that.

Maybe it makes more sense to look at the actual RFC…

avatar Evi1M4chine Evi1M4chine - open - 10 May 2014
avatar Evi1M4chine Evi1M4chine - change - 10 May 2014
The description was changed
Title
E-eail validation code really really wrong.
E-Mail validation code still wrong.
Description <p>Hello.</p> <p>I just had to use a site made with Joomla (<a href="https://www.openecard.org/de/kontakt">https://www.openecard.org/de/kontakt</a>), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.</p> <p>Here’s the code: <a href="https://www.openecard.org/media/system/js/validate.js">https://www.openecard.org/media/system/js/validate.js</a></p> <p>The handler in question uses this regex:</p> <pre><code>/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/ </code></pre> <p>This could hardly be worse.</p> <p>In reality, the name part, at least, allows just about anything in there: <a href="http://en.wikipedia.org/wiki/Email_address#Syntax">http://en.wikipedia.org/wiki/Email_address#Syntax</a></p> <p>Here’s a list of valid e-mail adresses. Most of which make your regex fall over: <a href="http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses">http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses</a></p> <p>In this concrete case, it fails to validate Google adresses with a <code>+</code> in them. Like <code>user.name+sometoken@gmail.com</code>.</p> <p>This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter <code>myname+dumbsite@gmail.com</code> into a form at <code>dumbsite.com</code>, and some strange site like <code>smartsite.com</code> sends you an e-mail, it will still go to <code>myname@gmail.com</code>, but you’ll see <code>myname+dumbsite@gmail.com</code> in the <code>To:</code> field, and know it actually came from <code>dumbsite.com</code>, and/or they gave <code>smartsite.com</code> your e-mail adress.</p> <p>But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges <code>a-z</code> and <code>A-Z</code>.</p> <h1>OUTDATED:</h1> <p>Hello.</p> <p>I just had to use a site made with Joomla (<a href="https://www.openecard.org/de/kontakt">https://www.openecard.org/de/kontakt</a>), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.</p> <p>Here’s the code: <a href="https://www.openecard.org/media/system/js/validate.js">https://www.openecard.org/media/system/js/validate.js</a></p> <p>The handler in question uses this regex:</p> <pre><code>/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/ </code></pre> <p>This could hardly be worse.</p> <p>In reality, the name part, at least, allows just about anything in there: <a href="http://en.wikipedia.org/wiki/Email_address#Syntax">http://en.wikipedia.org/wiki/Email_address#Syntax</a></p> <p>Here’s a list of valid e-mail adresses. Most of which make your regex fall over: <a href="http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses">http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses</a></p> <p>In this concrete case, it fails to validate Google adresses with a <code>+</code> in them. Like <code>user.name+sometoken@gmail.com</code>.</p> <p>This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter <code>myname+dumbsite@gmail.com</code> into a form at <code>dumbsite.com</code>, and some strange site like <code>smartsite.com</code> sends you an e-mail, it will still go to <code>myname@gmail.com</code>, but you’ll see <code>myname+dumbsite@gmail.com</code> in the <code>To:</code> field, and know it actually came from <code>dumbsite.com</code>, and/or they gave <code>smartsite.com</code> your e-mail adress.</p> <p>But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges <code>a-z</code> and <code>A-Z</code>.</p> <h1>EDIT:</h1> <p>I just noticed that that site is rather outdated.</p> <p>But the code is still wrong, since</p> <pre><code>/^[a-zA-Z0-9.!#$%&amp;’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/ </code></pre> <p>Still is a rather small subset of valid adressses. Try validating a Chinese adress with a local punctuation mark with that.</p>
avatar Evi1M4chine Evi1M4chine - change - 10 May 2014
The description was changed
Description <h1>OUTDATED:</h1> <p>Hello.</p> <p>I just had to use a site made with Joomla (<a href="https://www.openecard.org/de/kontakt">https://www.openecard.org/de/kontakt</a>), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.</p> <p>Here’s the code: <a href="https://www.openecard.org/media/system/js/validate.js">https://www.openecard.org/media/system/js/validate.js</a></p> <p>The handler in question uses this regex:</p> <pre><code>/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/ </code></pre> <p>This could hardly be worse.</p> <p>In reality, the name part, at least, allows just about anything in there: <a href="http://en.wikipedia.org/wiki/Email_address#Syntax">http://en.wikipedia.org/wiki/Email_address#Syntax</a></p> <p>Here’s a list of valid e-mail adresses. Most of which make your regex fall over: <a href="http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses">http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses</a></p> <p>In this concrete case, it fails to validate Google adresses with a <code>+</code> in them. Like <code>user.name+sometoken@gmail.com</code>.</p> <p>This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter <code>myname+dumbsite@gmail.com</code> into a form at <code>dumbsite.com</code>, and some strange site like <code>smartsite.com</code> sends you an e-mail, it will still go to <code>myname@gmail.com</code>, but you’ll see <code>myname+dumbsite@gmail.com</code> in the <code>To:</code> field, and know it actually came from <code>dumbsite.com</code>, and/or they gave <code>smartsite.com</code> your e-mail adress.</p> <p>But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges <code>a-z</code> and <code>A-Z</code>.</p> <h1>EDIT:</h1> <p>I just noticed that that site is rather outdated.</p> <p>But the code is still wrong, since</p> <pre><code>/^[a-zA-Z0-9.!#$%&amp;’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/ </code></pre> <p>Still is a rather small subset of valid adressses. Try validating a Chinese adress with a local punctuation mark with that.</p> <h1>OUTDATED:</h1> <p>Hello.</p> <p>I just had to use a site made with Joomla (<a href="https://www.openecard.org/de/kontakt">https://www.openecard.org/de/kontakt</a>), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.</p> <p>Here’s the code: <a href="https://www.openecard.org/media/system/js/validate.js">https://www.openecard.org/media/system/js/validate.js</a></p> <p>The handler in question uses this regex:</p> <pre><code>/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/ </code></pre> <p>This could hardly be worse.</p> <p>In reality, the name part, at least, allows just about anything in there: <a href="http://en.wikipedia.org/wiki/Email_address#Syntax">http://en.wikipedia.org/wiki/Email_address#Syntax</a></p> <p>Here’s a list of valid e-mail adresses. Most of which make your regex fall over: <a href="http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses">http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses</a></p> <p>In this concrete case, it fails to validate Google adresses with a <code>+</code> in them. Like <code>user.name+sometoken@gmail.com</code>.</p> <p>This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter <code>myname+dumbsite@gmail.com</code> into a form at <code>dumbsite.com</code>, and some strange site like <code>smartsite.com</code> sends you an e-mail, it will still go to <code>myname@gmail.com</code>, but you’ll see <code>myname+dumbsite@gmail.com</code> in the <code>To:</code> field, and know it actually came from <code>dumbsite.com</code>, and/or they gave <code>smartsite.com</code> your e-mail adress.</p> <p>But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges <code>a-z</code> and <code>A-Z</code>.</p> <h1>EDIT:</h1> <p>I just noticed that that site is rather outdated.</p> <p>But the code is still wrong, since the current regex</p> <pre><code>/^[a-zA-Z0-9.!#$%&amp;’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/ </code></pre> <p>itill is a rather small subset of valid adressses. Try validating a Chinese adress with a local punctuation mark with that.</p> <p>Maybe it makes more sense to look at the actual RFC…</p>
avatar Evi1M4chine Evi1M4chine - change - 10 May 2014
The description was changed
Description <h1>OUTDATED:</h1> <p>Hello.</p> <p>I just had to use a site made with Joomla (<a href="https://www.openecard.org/de/kontakt">https://www.openecard.org/de/kontakt</a>), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.</p> <p>Here’s the code: <a href="https://www.openecard.org/media/system/js/validate.js">https://www.openecard.org/media/system/js/validate.js</a></p> <p>The handler in question uses this regex:</p> <pre><code>/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/ </code></pre> <p>This could hardly be worse.</p> <p>In reality, the name part, at least, allows just about anything in there: <a href="http://en.wikipedia.org/wiki/Email_address#Syntax">http://en.wikipedia.org/wiki/Email_address#Syntax</a></p> <p>Here’s a list of valid e-mail adresses. Most of which make your regex fall over: <a href="http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses">http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses</a></p> <p>In this concrete case, it fails to validate Google adresses with a <code>+</code> in them. Like <code>user.name+sometoken@gmail.com</code>.</p> <p>This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter <code>myname+dumbsite@gmail.com</code> into a form at <code>dumbsite.com</code>, and some strange site like <code>smartsite.com</code> sends you an e-mail, it will still go to <code>myname@gmail.com</code>, but you’ll see <code>myname+dumbsite@gmail.com</code> in the <code>To:</code> field, and know it actually came from <code>dumbsite.com</code>, and/or they gave <code>smartsite.com</code> your e-mail adress.</p> <p>But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges <code>a-z</code> and <code>A-Z</code>.</p> <h1>EDIT:</h1> <p>I just noticed that that site is rather outdated.</p> <p>But the code is still wrong, since the current regex</p> <pre><code>/^[a-zA-Z0-9.!#$%&amp;’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/ </code></pre> <p>itill is a rather small subset of valid adressses. Try validating a Chinese adress with a local punctuation mark with that.</p> <p>Maybe it makes more sense to look at the actual RFC…</p> <h1>OUTDATED:</h1> <p>Hello.</p> <p>I just had to use a site made with Joomla (<a href="https://www.openecard.org/de/kontakt">https://www.openecard.org/de/kontakt</a>), and noticed that your e-mail validation code (in JFormValidator) is really really wrong.</p> <p>Here’s the code: <a href="https://www.openecard.org/media/system/js/validate.js">https://www.openecard.org/media/system/js/validate.js</a></p> <p>The handler in question uses this regex:</p> <pre><code>/^[a-zA-Z0-9._-]+@([a-zA-Z0-9.-]+\.)+[a-zA-Z0-9.-]{2,4}$/ </code></pre> <p>This could hardly be worse.</p> <p>In reality, the name part, at least, allows just about anything in there: <a href="http://en.wikipedia.org/wiki/Email_address#Syntax">http://en.wikipedia.org/wiki/Email_address#Syntax</a></p> <p>Here’s a list of valid e-mail adresses. Most of which make your regex fall over: <a href="http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses">http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses</a></p> <p>In this concrete case, it fails to validate Google adresses with a <code>+</code> in them. Like <code>user.name+sometoken@gmail.com</code>.</p> <p>This is a very popular pattern to enter to services, so it’s possible to track how the sender got one’s e-mail adress. If you enter <code>myname+dumbsite@gmail.com</code> into a form at <code>dumbsite.com</code>, and some strange site like <code>smartsite.com</code> sends you an e-mail, it will still go to <code>myname@gmail.com</code>, but you’ll see <code>myname+dumbsite@gmail.com</code> in the <code>To:</code> field, and know it actually came from <code>dumbsite.com</code>, and/or they gave <code>smartsite.com</code> your e-mail adress.</p> <p>But really, the e-mail checker should allow all valid adresses. I doubt your regex even works for adresses with foreign characters in them that are not inside the Latin ranges <code>a-z</code> and <code>A-Z</code>.</p> <h1>EDIT:</h1> <p>I just noticed that that site is rather outdated.</p> <p>But the code is still wrong, since the current regex</p> <pre><code>/^[a-zA-Z0-9.!#$%&amp;’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/ </code></pre> <p>still is a rather small subset of valid adressses. Try validating a Chinese adress with a local punctuation mark with that.</p> <p>Maybe it makes more sense to look at the actual RFC…</p>
avatar Achal-Aggarwal
Achal-Aggarwal - comment - 10 May 2014

Emails are validated at two steps, -client side, -server side. At client side, emails are first converted to punycode representation and then passed to validate on the regex. So I guess it should work with all valid emails. Same thing happens at server side also.

If you could just add example of valid email address not passing validation then we can find out what's not working for you.

Regex which we are using is a super set of regex provided at html spec http://www.w3.org/html/wg/drafts/html/master/forms.html#e-mail-state-(type=email)

avatar Evi1M4chine Evi1M4chine - close - 10 May 2014
avatar zero-24 zero-24 - close - 10 May 2014
avatar Evi1M4chine
Evi1M4chine - comment - 10 May 2014

Ah. In that case, nevermind. :)

Then that site I mentioned above really needs to update their Joomla installation. :)

I shall send them a message they will be unable to ignore. :) (It is the site of a software project that every German citizen (>80 million people) are forced to use by law. So it better be damn secure and up-to-date.)

Thanks.

avatar Evi1M4chine Evi1M4chine - change - 10 May 2014
Status New Closed
Closed_Date 0000-00-00 00:00:00 2014-05-10 18:31:51
avatar Evi1M4chine Evi1M4chine - close - 10 May 2014
avatar Achal-Aggarwal
Achal-Aggarwal - comment - 10 May 2014

Thanks for raising an issue here. Yeah, do ping them to update their site to latest version of joomla-cms (having lots of features and security fixes). :)

avatar zero-24 zero-24 - change - 7 Jul 2015
Labels Added: ?

Add a Comment

Login with GitHub to post a comment