BugTraq
A security vulnerability in S8Forum Jan 05 2003 11:26AM
nmsh_sa canada com (1 replies)
Re: A security vulnerability in S8Forum Jan 07 2003 03:20AM
steve Watt COM (Steve Watt) (1 replies)
Re: A security vulnerability in S8Forum Jan 08 2003 06:18PM
David Wilson (David Wilson isode com)
On Tue, 2003-01-07 at 03:20, Steve Watt wrote:
> In article <20030105032650.16087.h011.c009.wm (at) mail.canada.com.criticalpath (dot) net [email concealed]> you write:
> [ snip ]
> >SOLUTION :
> >==========
> [ snip ]
> > if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z
]{2,3})$",
> >$email) && $email !=
> >"") {
>
> Please note that there are many more characters valid in the LHS of an
> email address, for example +, that are often desirable. Disallowing
> such addresses is a major nuisance.

Indeed.

In fact, ANY ASCII character can appear in the local-part of the
address, because the local part can be a quoted-string and a
quoted-string can contain any virtually any ASCII.

Then, the domain can be a domain-literal, and this can contain CFWS,
which can contain comments. Comments cannot be recognised by a regular
expression as comments nest.

RFC 2822 address validation requires knowlege of that standard.

David Wilson
Isode Limited

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus