MantisBT

View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016894mantisbtemailpublic2014-01-27 17:522014-06-03 12:01
Reportergrangeway 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusfeedbackResolutionreopened 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0016894: Don't allow invalid email addresses (e.g. fred@localhost) to be used when signing up
DescriptionFollowing commit https://github.com/mantisbt/mantisbt/commit/50d235ad101f61a6c6888316e827fd225ad4b9cd [^]

Mantis allows users to sign up with an email address such as fred@localhost, when email validation is enabled.

The expected behaviour should be that we reject this sort of email address when requiring a user to enter a valid email address.
TagsNo tags attached.
Attached Files

- Relationships
related to 0014631closeddregad Email validation needs to be consistent 
related to 0011978closeddregad 'user@localhost' not a valid email address. 
related to 0017275assignedgrangeway email matching within Mantis should follow html5 standard 

-  Notes
User avatar (0039204)
dregad (developer)
2014-01-28 01:23

The thing is that fred@localhost *is* a perfectly *valid* address as per RFC5322 specification [1], and must therefore be allowed (see sections 3.4.1 and 3.2.3 for details):

addr-spec = local-part "@" domain
domain = dot-atom / domain-literal / obs-domain
dot-atom = [CFWS] dot-atom-text [CFWS]
dot-atom-text = 1*atext *("." 1*atext)

The last bit (dot-atom-text) says that there must be 1 or more chars followed by zero or more groups of ("." followed by 1 or more chars).

[1] http://tools.ietf.org/html/rfc5322 [^]
User avatar (0039208)
dregad (developer)
2014-01-28 04:43

Maybe I was a bit fast in closing this. Reopening for for discussion following up on grangeway's message on the mailing list [1] which I only just saw.

> We *now* accept an email address such as fred@localhost
[emphasis mine]

They were accepted before, their being rejected is only a very recent thing [2].

> we shouldn't accept non-routable email addresses if email validation is on.

I'm fine with that on principle, bearing in mind the fact that the domain part of the email is not of the form "domain.tld", does not in itself make the address invalid, or more specifically, not routable. Likewise, an address with a ".tld" part can be invalid if the server behind it is a mail server without an MX.

> If a user wants/needs to allow non-routable email addresses they can always turn off the validation functionality.

That could be an option.

> Given that PHP contains an api function to validate an email address, I believe we should make us of that function.

I disagree, this is exactly what I reverted - the PHP function rejects user@domain addresses [3]

Note: it would appear that the regexp used by PHP filter_vars is apparently an old version of the one used in PHPMailer [4]


> If not, I suggest we make a config option to allow users to choose to use the functionality provided within php itself, as opposed to a custom implementation.

I can't believe *you* are suggesting to add a new config option ;-)


[1] http://thread.gmane.org/gmane.comp.bug-tracking.mantis.devel/4985 [^]
[2] https://github.com/mantisbt/mantisbt/commit/4235a08618da1d66b44337867b72f4fdea633dc0 [^]
[3] https://bugs.php.net/bug.php?id=49576 [^]
[4] http://squiloople.com/2009/12/20/email-address-validation/[3] [^] https://bugs.php.net/bug.php?id=49576 [^]
User avatar (0039212)
cor3huis (reporter)
2014-01-28 05:13

PLZ stick to RFC5322 indeed, we have a internal DNS with just names like "superserver" "wow" "itsfine".

The expected behavior should be that we accept this sort of email address when requiring a user to enter a valid email address. ;)
User avatar (0040194)
grangeway (developer)
2014-04-30 13:41

This is still something we need to look at -

If someone wants to require users to require a valid internet mail address, then fred@localhost is invalid. If you want to allow invalid internet addresses, then you can disable the email validation options.
User avatar (0040195)
dregad (developer)
2014-04-30 20:10

> If you want to allow invalid internet addresses,

First of all, I'll repeat AGAIN that these address are VALID, they respect the RFC5322 specification. Just because the PHP team took the decision not to follow the RFC, does not make it right.

> then you can disable the email validation options.

No you can't. you still need to have addresses that your local SMTP server can process.

Reference read on address validation:
http://squiloople.com/2009/12/20/email-address-validation/ [^]
User avatar (0040197)
dregad (developer)
2014-05-01 18:39

See PR https://github.com/mantisbt/mantisbt/pull/172 [^]

That should satisfy both grangeway's concerns and my/cor3huis requirement for fully RFC5322-compliant emails.
User avatar (0040198)
grangeway (developer)
2014-05-01 19:04

I've been looking at this a bit more, and RFC's/standards so whilst i'm not necessarily sure I agree with it, the 'standards' do seem to allow @localhost.

I'm going to raise a seperate bug report and put in a pull request over weekend to move the validation out of phpmailer and to follow what seems to be an agreed standard.
User avatar (0040200)
dregad (developer)
2014-05-02 02:32

Until then, this should remain open since there is a pull request with open discussion pending. If and when you do submit yours, we can compare them and decide which one should be implemented.

- Issue History
Date Modified Username Field Change
2014-01-27 17:52 grangeway New Issue
2014-01-27 17:59 atrol Relationship added related to 0014631
2014-01-27 22:36 vboctor Summary Mantis allows invalid email addresses to be used by users when signing up e.g. fred@localhost => Dont' allow invalid email addresses to be used when signing up e.g. fred@localhost
2014-01-27 22:37 vboctor Summary Dont' allow invalid email addresses to be used when signing up e.g. fred@localhost => Don't allow invalid email addresses (e.g. fred@localhost) to be used when signing up
2014-01-28 01:23 dregad Note Added: 0039204
2014-01-28 01:23 dregad Status new => resolved
2014-01-28 01:23 dregad Resolution open => won't fix
2014-01-28 01:23 dregad Assigned To => dregad
2014-01-28 04:43 dregad Assigned To dregad =>
2014-01-28 04:43 dregad Note Added: 0039208
2014-01-28 04:43 dregad Status resolved => feedback
2014-01-28 04:43 dregad Resolution won't fix => reopened
2014-01-28 05:13 cor3huis Note Added: 0039212
2014-01-28 18:25 atrol Relationship added related to 0011978
2014-04-30 11:17 dregad Status feedback => resolved
2014-04-30 11:17 dregad Resolution reopened => won't fix
2014-04-30 11:17 dregad Assigned To => dregad
2014-04-30 13:41 grangeway Note Added: 0040194
2014-04-30 13:41 grangeway Status resolved => feedback
2014-04-30 13:41 grangeway Resolution won't fix => reopened
2014-04-30 20:10 dregad Note Added: 0040195
2014-05-01 18:39 dregad Note Added: 0040197
2014-05-01 18:39 dregad Status feedback => assigned
2014-05-01 19:04 grangeway Note Added: 0040198
2014-05-01 19:04 grangeway Status assigned => resolved
2014-05-01 19:04 grangeway Resolution reopened => won't fix
2014-05-02 02:32 dregad Note Added: 0040200
2014-05-02 02:32 dregad Status resolved => feedback
2014-05-02 02:32 dregad Resolution won't fix => reopened
2014-06-03 12:01 dregad Relationship added related to 0017275


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1567 seconds.
memory usage: 3,103 KB
Powered by Mantis Bugtracker