Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#44191 closed defect (bug) (duplicate)

is_email() function accepts non RFC822

Reported by: vonsch's profile vonsch Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:

Description

is_email() seems to declare non RFC822 compliant addresses as valid email address. The following email address came through a WooCommerce shop, the email address is altered.

faaanebencze.lujza.@…

due to the '.' at the end of the local part, the email address is not valid or RFC822, the logic shall be the follows

local-part = word *("." word)

still, the above mail address passes. (WooCommerce uses is_email() function to determine the email address validity.)

Attachments (1)

#44191.patch (3.7 KB) - added by arena 6 years ago.
proposed patch for a total review of is_email code

Download all attachments as: .zip

Change History (7)

#1 @swissspidy
7 years ago

IIRC Gmail doesn't care about dots, so email addresses like foo.bar.@gmail.com are valid. If someone uses that on a site, I would expect it to work.

#2 @vonsch
7 years ago

I was also surprised, but checked RFC822 and unfortunately you are wrong. Here it is RFC822

6.1. Syntax
local-part = word *("." word) ; uninterpreted ; case-preserved

3.3. LEXICAL TOKENS
word = atom / quoted-string
atom = 1*<any CHAR except specials, SPACE and CTLs>

Even though '.' is no special per atom, it is special in the word *("." word) rule, as at least one atom is expected as a word. So according to the specs foo.bar.@gmail.com is incorrect, but foo.bar..@gmail.com might be correct.

Would have never noticed, unless a client triggered this error and that resulted certain functions to fail. Guess that all Wordpress versions are affected, not just 4.7.

Last edited 7 years ago by vonsch (previous) (diff)

@arena
6 years ago

proposed patch for a total review of is_email code

#3 @arena
6 years ago

  • Keywords has-patch added

the function is_email has 9 apply_filters ...

#4 @swissspidy
6 years ago

  • Keywords needs-patch added; has-patch removed

@arena We can't rely on filter_var as the filter module might not be available in PHP, i.e. if PHP was compiled without the filter module. That's why you won't find any filter_var calls in core.

#5 @arena
6 years ago

new patch here :

Ticket #17491 (opened 8 years ago) :

is_email_new.patch

#6 @ocean90
6 years ago

  • Component changed from General to Formatting
  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version 4.7 deleted

Duplicate of #17491.

Note: See TracTickets for help on using tickets.