Ticket #12733 (confirmed Bug)
Invalid RE applied to email addresses during password reset.
Reported by: | hoss | Owned by: | admins@… |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | General | Version: | 4.2 |
Keywords: | Cc: |
Description
In CMFPlone.RegistrationTool._checkEmail(), the following RE is applied to the email address string:
(".\.\-.|.\-\..|.\.\..|.\-\-.")
That's labeled as the 'e' test, in the _TESTS tuple. This is only applied during the mailPassword() function.
If an address matches that RE, the address is considered invalid, and the resulting password reset attempt will fail.
However, I believe that the RE applies an invalid validation. According to the specs*, the following sequences are acceptable in the local-part of the address:
.-
-.
--
And yet, the RE treats all of those as conditions for rejecting the email address. The only legitimate validation it seems to apply is to reject double dots ('..'). And it doesn't test for the presence of a dot at the start or end of the local-part (which are legitimate conditions for rejection).
Furthermore, these tests represent a different set of criteria for validating email addresses than is applied elsewhere in RegistrationTool.py, namely in registeredNotify() which uses validateSingleEmailAddress() and Products.CMFDefault.utils.checkEmailAddress() but NOT _checkEmail().
At the very least, the REs in _TESTS need to be revisited and compared against the spec for appropriateness (the 'e' test needs to be removed). But I believe that an opportunity exists for a more comprehensive fix, which involves consolidating all of the various email address validation logic in one place, to avoid situations that can occur now: where a given address works fine for some actions in Plone, but is rejected for others.
Change History
comment:1 Changed 4 years ago by eleddy
- Component changed from Plone Services to Infrastructure
- severity changed from Untriaged to Normal
comment:3 Changed 4 years ago by fulviocasali
By the way, not to muddy the waters, but as of the latest ( https://github.com/plone/Products.CMFPlone/commit/ef79f0b1979f69eb8ed9365b569de03b9e18d7da#Products/CMFPlone/RegistrationTool.py), the RE is now:
".\.\-.|.\-\..|.\.\..|.!(xn)\-\-."
This change was made by:
r37357 | matthewwilkes | 2010-06-19 10:04:37 -0700 (Sat, 19 Jun 2010) Consider domain names with TLDs longer than 4 characters to be valid. Also consider -- to be a valid identifier in domain names if it is proceeded by 'xn' to allow punycode. This fixes #10502
So, yes, it seems this particular RE at least is broken, since it applies rules to the entire email address that are really meant for the remote part, not the local.