From 209417359ff2a8779738401208b3e62d9aaa131e Mon Sep 17 00:00:00 2001 From: David Anderson Date: Tue, 8 Nov 2022 12:16:00 -0800 Subject: [PATCH] web: fix is_valid_email_addr() Use a PHP function to do this (filter_var()). The regular expression we were using allowed e.g. commas. Also fix the logic for using stopforumspam.com (check email addr even if client IP addr missing) --- html/inc/email.inc | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/html/inc/email.inc b/html/inc/email.inc index 2d9b42bcc3..14546b14c2 100644 --- a/html/inc/email.inc +++ b/html/inc/email.inc @@ -137,16 +137,25 @@ Note: Your password will need to be recovered after clicking this link"; return send_email($user, $subject, $body_new) && send_email($user, $subject, $body_old, null, $user->previous_email_addr); } -// a valid email address is of the form A@B.C -// where A, B, C are nonempty, -// A and B don't contain @ or ., -// and C doesn't contain @ and is at least 2 chars +// check whether email addr is syntactically valid. +// if using stopforumspam.com, check it too // function is_valid_email_addr($addr) { - if (defined("USE_STOPFORUMSPAM") && USE_STOPFORUMSPAM && array_key_exists('REMOTE_ADDR', $_SERVER)) { - $ip = $_SERVER['REMOTE_ADDR']; - // For obviously private IPs check just the email against SFS, otherwise check both IP and email - if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { + if (defined("USE_STOPFORUMSPAM") && USE_STOPFORUMSPAM) { + // For obviously private IPs check just the email against SFS, + // otherwise check both IP and email + // + $use_ip = false; + if (array_key_exists('REMOTE_ADDR', $_SERVER)) { + $ip = $_SERVER['REMOTE_ADDR']; + if (filter_var( + $ip, FILTER_VALIDATE_IP, + FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE + )) { + $use_ip = true; + } + } + if ($use_ip) { $x = @file_get_contents("https://www.stopforumspam.com/api?ip=".$ip."&email=".$addr); } else { $x = @file_get_contents("https://www.stopforumspam.com/api?email=".$addr); @@ -155,9 +164,7 @@ function is_valid_email_addr($addr) { return false; } } - $pattern = '/^([^@]+)@([^@\.]+)\.([^@]{2,})$/'; - $match = preg_match($pattern, $addr); - return (bool) $match; + return filter_var($addr, FILTER_VALIDATE_EMAIL); } function send_confirm_delete_email($user) {