[28440] in bugtraq
Re: A security vulnerability in S8Forum
daemon@ATHENA.MIT.EDU (David Wilson)
Wed Jan 15 15:34:01 2003
From: David Wilson <David.Wilson@isode.com>
To: bugtraq@securityfocus.com
In-Reply-To: <200301070320.h073K1b4014387@wattres.Watt.COM>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 08 Jan 2003 18:18:16 +0000
Message-Id: <1042049915.9242.182.camel@delta.isode.net>
Mime-Version: 1.0
On Tue, 2003-01-07 at 03:20, Steve Watt wrote:
> In article <20030105032650.16087.h011.c009.wm@mail.canada.com.criticalpath.net> you write:
> [ snip ]
> >SOLUTION :
> >==========
> [ snip ]
> > if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",
> >$email) && $email !=
> >"") {
>
> Please note that there are many more characters valid in the LHS of an
> email address, for example +, that are often desirable. Disallowing
> such addresses is a major nuisance.
Indeed.
In fact, ANY ASCII character can appear in the local-part of the
address, because the local part can be a quoted-string and a
quoted-string can contain any virtually any ASCII.
Then, the domain can be a domain-literal, and this can contain CFWS,
which can contain comments. Comments cannot be recognised by a regular
expression as comments nest.
RFC 2822 address validation requires knowlege of that standard.
David Wilson
Isode Limited
