Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#44191 new defect (bug)

is_email() function accepts non RFC822

Reported by: vonsch Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7
Component: General Keywords:
Focuses: Cc:


is_email() seems to declare non RFC822 compliant addresses as valid email address. The following email address came through a WooCommerce shop, the email address is altered.


due to the '.' at the end of the local part, the email address is not valid or RFC822, the logic shall be the follows

local-part = word *("." word)

still, the above mail address passes. (WooCommerce uses is_email() function to determine the email address validity.)

Change History (2)

#1 @swissspidy
4 weeks ago

IIRC Gmail doesn't care about dots, so email addresses like foo.bar.@gmail.com are valid. If someone uses that on a site, I would expect it to work.

#2 @vonsch
4 weeks ago

I was also surprised, but checked RFC822 and unfortunately you are wrong. Here it is RFC822

6.1. Syntax
local-part = word *("." word) ; uninterpreted ; case-preserved

word = atom / quoted-string
atom = 1*<any CHAR except specials, SPACE and CTLs>

Even though '.' is no special per atom, it is special in the word *("." word) rule, as at least one atom is expected as a word. So according to the specs foo.bar.@gmail.com is incorrect, but foo.bar..@gmail.com might be correct.

Would have never noticed, unless a client triggered this error and that resulted certain functions to fail. Guess that all Wordpress versions are affected, not just 4.7.

Last edited 4 weeks ago by vonsch (previous) (diff)
Note: See TracTickets for help on using tickets.