[arch-projects] [PATCH] valid_email :: check all sorts of stuff, as described by: http://www.linuxjournal.com/article/9585
Signed-off-by: BlackEagle <ike.devolder@gmail.com> --- web/lib/aur.inc.php | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index c662b80..9b604fe 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -80,7 +80,53 @@ function check_sid($dbh=NULL) { # verify that an email address looks like it is legitimate # function valid_email($addy) { - return (filter_var($addy, FILTER_VALIDATE_EMAIL) !== false); + $isValid = true; + $atIndex = strrpos($addy, "@"); + if (is_bool($atIndex) && !$atIndex) { + $isValid = false; + } else { + $domain = substr($addy, $atIndex+1); + $local = substr($addy, 0, $atIndex); + $localLen = strlen($local); + $domainLen = strlen($domain); + if ($localLen < 1 || $localLen > 64) { + // local part length exceeded + $isValid = false; + } elseif ($domainLen < 1 || $domainLen > 255) { + // domain part length exceeded + $isValid = false; + } elseif ($local[0] == '.' || $local[$localLen-1] == '.') { + // local part starts or ends with '.' + $isValid = false; + } elseif (preg_match('/\\.\\./', $local)) { + // local part has two consecutive dots + $isValid = false; + } elseif (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) { + // character not valid in domain part + $isValid = false; + } elseif (preg_match('/\\.\\./', $domain)) { + // domain part has two consecutive dots + $isValid = false; + } elseif ( + !preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', + str_replace("\\\\","",$local)) + ) { + // character not valid in local part unless + // local part is quoted + if ( + !preg_match('/^"(\\\\"|[^"])+"$/', + str_replace("\\\\","",$local)) + ) { + $isValid = false; + } + } + + if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A"))) { + // domain not found in DNS + $isValid = false; + } + } + return $isValid; } # a new seed value for mt_srand() -- 1.7.9.4
On Mon, Mar 19, 2012 at 3:39 PM, BlackEagle <ike.devolder@gmail.com> wrote:
Signed-off-by: BlackEagle <ike.devolder@gmail.com> --- web/lib/aur.inc.php | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index c662b80..9b604fe 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -80,7 +80,53 @@ function check_sid($dbh=NULL) { # verify that an email address looks like it is legitimate # function valid_email($addy) { - return (filter_var($addy, FILTER_VALIDATE_EMAIL) !== false); + $isValid = true; + $atIndex = strrpos($addy, "@"); + if (is_bool($atIndex) && !$atIndex) { + $isValid = false; + } else { + $domain = substr($addy, $atIndex+1); + $local = substr($addy, 0, $atIndex); + $localLen = strlen($local); + $domainLen = strlen($domain); + if ($localLen < 1 || $localLen > 64) { + // local part length exceeded + $isValid = false; + } elseif ($domainLen < 1 || $domainLen > 255) { + // domain part length exceeded + $isValid = false; + } elseif ($local[0] == '.' || $local[$localLen-1] == '.') { + // local part starts or ends with '.' + $isValid = false; + } elseif (preg_match('/\\.\\./', $local)) { + // local part has two consecutive dots + $isValid = false; + } elseif (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) { + // character not valid in domain part + $isValid = false; + } elseif (preg_match('/\\.\\./', $domain)) { + // domain part has two consecutive dots + $isValid = false; + } elseif ( + !preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', + str_replace("\\\\","",$local)) + ) { + // character not valid in local part unless + // local part is quoted + if ( + !preg_match('/^"(\\\\"|[^"])+"$/', + str_replace("\\\\","",$local)) + ) { + $isValid = false; + } + } + + if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A"))) { + // domain not found in DNS + $isValid = false; + } + } + return $isValid; }
# a new seed value for mt_srand() -- 1.7.9.4
If that patch is for the AUR (Which I believe), you should post it on the aur-dev ML instead of on this ML.
The AUR has a separate development mailing list (aur-dev). I will comment on your patch here but please send further patches to aur-dev. Thanks! On Mon, Mar 19, 2012 at 08:39:03PM +0100, BlackEagle wrote:
Signed-off-by: BlackEagle <ike.devolder@gmail.com> --- web/lib/aur.inc.php | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index c662b80..9b604fe 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -80,7 +80,53 @@ function check_sid($dbh=NULL) { # verify that an email address looks like it is legitimate # function valid_email($addy) { - return (filter_var($addy, FILTER_VALIDATE_EMAIL) !== false); + $isValid = true; + $atIndex = strrpos($addy, "@"); + if (is_bool($atIndex) && !$atIndex) { + $isValid = false; + } else { + $domain = substr($addy, $atIndex+1); + $local = substr($addy, 0, $atIndex); + $localLen = strlen($local); + $domainLen = strlen($domain); + if ($localLen < 1 || $localLen > 64) { + // local part length exceeded + $isValid = false; + } elseif ($domainLen < 1 || $domainLen > 255) { + // domain part length exceeded + $isValid = false; + } elseif ($local[0] == '.' || $local[$localLen-1] == '.') { + // local part starts or ends with '.' + $isValid = false; + } elseif (preg_match('/\\.\\./', $local)) { + // local part has two consecutive dots + $isValid = false; + } elseif (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) { + // character not valid in domain part + $isValid = false; + } elseif (preg_match('/\\.\\./', $domain)) { + // domain part has two consecutive dots + $isValid = false; + } elseif ( + !preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', + str_replace("\\\\","",$local)) + ) { + // character not valid in local part unless + // local part is quoted + if ( + !preg_match('/^"(\\\\"|[^"])+"$/', + str_replace("\\\\","",$local)) + ) { + $isValid = false; + } + }
Thanks for coding this up, but what's the rationale behind it? Doesn't the FILTER_VALIDATE_EMAIL filter run most (all?) of these checks? I don't think we should try to be more clever than filter_var() here...
+ + if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A"))) { + // domain not found in DNS + $isValid = false; + }
This makes more sense to me but again, I don't really think this is useful/effective... Any spammers could just continue using random mail addresses as long as they provide "valid" domains (e.g. they could just use "$random_foo@archlinux.org"). If we really want to check mail addresses for validity, we probably need to send verification mails.
+ } + return $isValid; }
# a new seed value for mt_srand() -- 1.7.9.4
Op maandag 19 maart 2012 21:06:59 schreef Lukas Fleischer:
The AUR has a separate development mailing list (aur-dev). I will comment on your patch here but please send further patches to aur-dev. Thanks!
On Mon, Mar 19, 2012 at 08:39:03PM +0100, BlackEagle wrote:
Signed-off-by: BlackEagle <ike.devolder@gmail.com> ---
web/lib/aur.inc.php | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index c662b80..9b604fe 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -80,7 +80,53 @@ function check_sid($dbh=NULL) {
# verify that an email address looks like it is legitimate # function valid_email($addy) {
- return (filter_var($addy, FILTER_VALIDATE_EMAIL) !== false); + $isValid = true; + $atIndex = strrpos($addy, "@"); + if (is_bool($atIndex) && !$atIndex) { + $isValid = false; + } else { + $domain = substr($addy, $atIndex+1); + $local = substr($addy, 0, $atIndex); + $localLen = strlen($local); + $domainLen = strlen($domain); + if ($localLen < 1 || $localLen > 64) { + // local part length exceeded + $isValid = false; + } elseif ($domainLen < 1 || $domainLen > 255) { + // domain part length exceeded + $isValid = false; + } elseif ($local[0] == '.' || $local[$localLen-1] == '.') { + // local part starts or ends with '.' + $isValid = false; + } elseif (preg_match('/\\.\\./', $local)) { + // local part has two consecutive dots + $isValid = false; + } elseif (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) { + // character not valid in domain part + $isValid = false; + } elseif (preg_match('/\\.\\./', $domain)) { + // domain part has two consecutive dots + $isValid = false; + } elseif ( + !preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', + str_replace("\\\\","",$local)) + ) { + // character not valid in local part unless + // local part is quoted + if ( + !preg_match('/^"(\\\\"|[^"])+"$/', + str_replace("\\\\","",$local)) + ) { + $isValid = false; + } + }
Thanks for coding this up, but what's the rationale behind it? Doesn't the FILTER_VALIDATE_EMAIL filter run most (all?) of these checks? I don't think we should try to be more clever than filter_var() here...
+ + if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A"))) { + // domain not found in DNS + $isValid = false; + }
This makes more sense to me but again, I don't really think this is useful/effective... Any spammers could just continue using random mail addresses as long as they provide "valid" domains (e.g. they could just use "$random_foo@archlinux.org"). If we really want to check mail addresses for validity, we probably need to send verification mails.
+ } + return $isValid;
}
# a new seed value for mt_srand()
-- 1.7.9.4
drop this patch, it should be filter_var i'll send a new patch to aur-dev --Ike
participants (4)
-
BlackEagle
-
Eric Bélanger
-
Ike Devolder
-
Lukas Fleischer