View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003755 | OXID eShop (all versions) | 4.07. Source code, Test | public | 2012-03-23 10:19 | 2014-06-17 17:01 |
| Reporter | manuel | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.5.8 revision 42471 | ||||
| Target Version | 4.8.5 / 5.1.5 | Fixed in Version | 4.9.0_5.2.0_beta1 | ||
| Summary | 0003755: Wrong valdiation for email-adresses with an ampersand or other special chars | ||||
| Description | First of all, if you use e-mail-adresses with an ampersand for registration, for example "test&[email protected]", the javascript-validation is wrong in src/azure/js/oxinputvalidator.js(isEmail()) due to the regex-pattern used (no ampersands or other special chars allowed there). Next, if you deactivate javascript and try to register with the same adress, the function oxcmp_user::createUser() uses oxConfig::getParameter( 'lgn_usr' ) to get the e-mail-adress typed in by the user. Because no raw-value is used, some special chars (like &) are replaced in oxConfig::checkSpecialChars() for the e-mail-adress wich results in a wrong email-validation in oxutils::isValidEmail() (because & cant be used). | ||||
| Steps To Reproduce | Tryy to use email-adress "test&[email protected]" for registration. | ||||
| Additional Information | http://tools.ietf.org/html/rfc2822#page-12 for allowed special-chars in local-email-adress-part. For example same misbehavior if you use the char ' in e-mail-adresses. It should be tested if more allowed-chars are affected by this. | ||||
| Tags | |||||
| Attached Files | oxid-3755-email_validation.txt (799 bytes)
diff --git core/oxutils.php core/oxutils.php
index 87a0baa..08cceb2 100644
--- core/oxutils.php
+++ core/oxutils.php
@@ -314,8 +314,14 @@ class oxUtils extends oxSuperCfg
{
$blValid = true;
if ( $sEmail != 'admin' ) {
- $sEmailTpl = "/^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/i";
- $blValid = ( getStr()->preg_match( $sEmailTpl, $sEmail ) != 0 );
+
+ // enforce maximum length to prevent libpcre recursion crash bug #52929 in PHP
+ // fixed in PHP 5.3.4; length restriction per SMTP RFC 2821
+ if (strlen($sEmail) > 320) {
+ return FALSE;
+ }
+
+ $blValid = (filter_var($sEmail, FILTER_VALIDATE_EMAIL) !== FALSE);
}
return $blValid;
| ||||
| Theme | All | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| related to | 0003073 | resolved | Linas Kukulskis | email validation |
| has duplicate | 0004870 | resolved | Linas Kukulskis | oxUtils->isValidEmail does not allow RFC allowed characters |
| has duplicate | 0004884 | resolved | Linas Kukulskis | oxUtils::isValidEmail($email) not conform with RFC 2822 |
| related to | 0005097 | resolved | saulius.stasiukaitis | Accept "+" in E-Mail |
| related to | 0005713 | resolved | saulius.stasiukaitis | New TLDs are not accepted by oxinputvalidator |
|
|
Tested in current demo-shops too. |
|
|
My proposal to fix this issue on the PHP side would be to use the build-in PHP function filter_var() to check if an e-mail address is valid. I don't see the need to reinvent the wheel here. |
|
|
I attached a patch that implements the filter_var() function. The code is from the TYPO3 method t3lib_div::validEmail(). |
|
|
An alternative to use filter_var() would be to use the regexp from http://labs.phurix.net/posts/what-is-a-valid-email-address : http://hm2k.googlecode.com/svn/trunk/code/php/functions/validate_email.php BTW Compare this issue with issue 3073: https://bugs.oxid-esales.com/view.php?id=3073 : The email address which is mentioned in bug id 3073 (my/[email protected]) is a _valid_ and not a wrong email address. Another example: _/-.test&[email protected] is also a correct email address. The poor email check of oxid should be improved. |
|
|
Gmail widely uses emails like user+randomtext@gmail[do0t].com which makes it impossible to buy in shop. Since the errormessage is wrong (email is NOT invalid) the customer gets confused. Is there any reason to not use solution provided by thorsten_albrecht? |
|
|
waiting for the PO decision. |
|
|
JavaScript changed to allow almost all possible cases which has correct structure. MailValidator class add to validate mail. This class validates by config sEmailValidationRule. Validation rule might be changed by changing config value, setting different rule, extending class with module. |
