Bug: flaws in email validation/sending

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug: flaws in email validation/sending

Kim-2
  • CakePHP's email validation allows non-ASCII letter characters, e.g. á, in the  local part of the email address (by the \p{L} unicode category construct). This should not be allowed, see https://en.wikipedia.org/wiki/Email_address#Local_part.
  • It also allows non-ASCII letter characters in the domain part. This allows Internationalized Domain Names (IDN). The problem here lies in the fact that this is not supported by the SmtpTransport. An SMTP client should convert them to so called punycode ASCII, according to https://lists.exim.org/lurker/message/20140812.120609.bf764769.en.html. MTA exim does not accept the SMTP sequence. By the way, conversion to punycode can be done by PHP's idn_to_ascii().
This issues have been tested in the current 2.7 branch, but a quick code inspection confirms that they are also present in the master branch. As a workaround I have switched back to validation by PHP's filter_var(), used in a wrapper validation method.

The first issue can be fixed easily, although the right RFCs have to be consulted. For the second issue, we have to decide if we support IDN for email and if we do, support it (maybe not only in the SmtpTransport).

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Bug: flaws in email validation/sending

euromark
Please open a ticket at https://github.com/cakephp/cakephp/issues
This is just a discission board, not a bug tracker.

Mark


Am Samstag, 30. Januar 2016 05:33:10 UTC+1 schrieb Kim:
  • CakePHP's email validation allows non-ASCII letter characters, e.g. á, in the  local part of the email address (by the \p{L} unicode category construct). This should not be allowed, see <a href="https://en.wikipedia.org/wiki/Email_address#Local_part" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\75https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FEmail_address%23Local_part\46sa\75D\46sntz\0751\46usg\75AFQjCNEfWFtYhPCBnWIBNhiLTWcLdafuvQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\75https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FEmail_address%23Local_part\46sa\75D\46sntz\0751\46usg\75AFQjCNEfWFtYhPCBnWIBNhiLTWcLdafuvQ&#39;;return true;">https://en.wikipedia.org/wiki/Email_address#Local_part.
  • It also allows non-ASCII letter characters in the domain part. This allows Internationalized Domain Names (IDN). The problem here lies in the fact that this is not supported by the SmtpTransport. An SMTP client should convert them to so called punycode ASCII, according to <a href="https://lists.exim.org/lurker/message/20140812.120609.bf764769.en.html" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\75https%3A%2F%2Flists.exim.org%2Flurker%2Fmessage%2F20140812.120609.bf764769.en.html\46sa\75D\46sntz\0751\46usg\75AFQjCNHVeqUp_wFjeMIAxPEwwjIuV84KgA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\75https%3A%2F%2Flists.exim.org%2Flurker%2Fmessage%2F20140812.120609.bf764769.en.html\46sa\75D\46sntz\0751\46usg\75AFQjCNHVeqUp_wFjeMIAxPEwwjIuV84KgA&#39;;return true;">https://lists.exim.org/lurker/message/20140812.120609.bf764769.en.html. MTA exim does not accept the SMTP sequence. By the way, conversion to punycode can be done by PHP's idn_to_ascii().
This issues have been tested in the current 2.7 branch, but a quick code inspection confirms that they are also present in the master branch. As a workaround I have switched back to validation by PHP's filter_var(), used in a wrapper validation method.

The first issue can be fixed easily, although the right RFCs have to be consulted. For the second issue, we have to decide if we support IDN for email and if we do, support it (maybe not only in the SmtpTransport).

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.