View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005290 | Composr alpha bug reports | [All Projects] General / Uncategorised | public | 2023-02-18 16:18 | 2023-02-22 00:10 |
| Reporter | Chris Graham | Assigned To | Patrick Schmalstig | ||
| Severity | Minor-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Summary | 0005290: Fix missing email address validation | ||||
| Description | On a normal site, an invalid email address slipping through won't be too much of a problem. It will be passed to the outbound email server without much in terms of checks and that will generate an error to the server admin in some form. However, on a site using a direct SMTP connection, an invalid email address can get stuck in the queue. Composr can't (and I'd say shouldn't) try and distinguish between situations where the SMTP server it is connecting to is down and when the SMTP server is refusing an email. So we need to validate email addresses better so that this does not happen. Here are two templates that should use type="email" for automatic frontend validation... ./themes/default/templates/COMMENTS_POSTING_FORM.tpl:86: <input aria-errormessage="error-email-msg" id="email" name="email" value="{$MEMBER_EMAIL*}" type="text" tabindex="2" maxlength="255" class="form-control form-control-wide{+START,IF,{$NOT,{EMAIL_OPTIONAL}}} input-text-required{+END}" /> ./themes/default/templates/INSTALLER_STEP_2.tpl:15: <input maxlength="255" class="form-control form-control-wide" id="email" name="email" type="text" placeholder="{!EMAIL_ADDRESS_FOR_NEWSLETTER}" size="25" /> Here are cases in the code where we are not doing back-end validation... ./pages/modules/recommend.php:548: $recommender_email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER); ./site/pages/modules_custom/sites.php:485: $email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER); ./site/pages/modules/tickets.php:921: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./adminzone/pages/modules/admin_cns_members.php:337: $email_address = post_param_string('email', member_field_is_required(null, 'email_address') ? false : '', INPUT_FILTER_POST_IDENTIFIER); ./sources/blocks/main_join.php:128: $email_address = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./sources/feedback.php:868: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./sources/report_content.php:333: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./sources/report_content.php:390: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./sources/report_content.php:420: $email = post_param_string('email', $GLOBALS['FORUM_DRIVER']->get_member_email_address($member_id), INPUT_FILTER_POST_IDENTIFIER); ./sources/cns_install.php:977: post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER), // email_address ./sources/mail_forms.php:166: $from_email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./install.php:2097: $email = post_param_string('email', '', INPUT_FILTER_POST_IDENTIFIER); ./sources_custom/cns_join.php:97: 'i_email_address' => post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER), ./sources_custom/cns_join.php:103: 'i_email_address' => post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER), ./sources_custom/hooks/endpoints/misc/contact_us.php:43: $email_from = post_param_string('email', $GLOBALS['FORUM_DRIVER']->get_member_email_address(get_member()), INPUT_FILTER_POST_IDENTIFIER); Back-end validation looks something like... require_code('type_sanitisation'); if ($email != '' && !is_valid_email_address($email)) { warn_exit(do_lang_tempcode('INVALID_EMAIL_ADDRESS')); } Also I noticed a bug... // Check e-mail domain, if applicable $email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER); This code in cns_join.php is overwriting $email_address. The "$email_address = post_param_string('email', false, INPUT_FILTER_POST_IDENTIFIER);" line should be gone. | ||||
| Tags | No tags attached. | ||||
| Sponsorship open | |||||
|
|
Already using email address validation: ./pages/modules/recommend.php (it's further down the code) feedback.php was only using email for a comcode tag, so instead of warn_exit, I simply made it not use the email comcode tag if the email is invalid. For all other backend cases, to avoid lots of repeating code, I added a new INPUT_FILTER_EMAIL_ADDRESS bitmask which can be used on post_param_string for email addresses. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-02-18 16:18 | Chris Graham | New Issue | |
| 2023-02-18 16:18 | Chris Graham | Status | non-assigned => assigned |
| 2023-02-18 16:18 | Chris Graham | Assigned To | => Patrick Schmalstig |
| 2023-02-22 00:09 | Patrick Schmalstig | Note Added: 0007958 | |
| 2023-02-22 00:10 | Patrick Schmalstig | Status | assigned => resolved |
| 2023-02-22 00:10 | Patrick Schmalstig | Resolution | open => fixed |
| 2023-02-26 18:29 | Chris Graham | Category | General => General / Uncategorised |
