Bugtraq mailing list archives
Re: A security vulnerability in S8Forum
From: David Wilson <David.Wilson () isode com>
Date: 08 Jan 2003 18:18:16 +0000
On Tue, 2003-01-07 at 03:20, Steve Watt wrote:
In article <20030105032650.16087.h011.c009.wm () mail canada com criticalpath net> you write: [ snip ]SOLUTION : ==========[ snip ]if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email) && $email != "") {Please note that there are many more characters valid in the LHS of an email address, for example +, that are often desirable. Disallowing such addresses is a major nuisance.
Indeed. In fact, ANY ASCII character can appear in the local-part of the address, because the local part can be a quoted-string and a quoted-string can contain any virtually any ASCII. Then, the domain can be a domain-literal, and this can contain CFWS, which can contain comments. Comments cannot be recognised by a regular expression as comments nest. RFC 2822 address validation requires knowlege of that standard. David Wilson Isode Limited
Current thread:
- A security vulnerability in S8Forum nmsh_sa (Jan 06)
- Re: A security vulnerability in S8Forum Steve Watt (Jan 21)
- Re: A security vulnerability in S8Forum David Wilson (Jan 15)
- Re: A security vulnerability in S8Forum Steve Watt (Jan 21)