[arch-projects] [PATCH] valid_email :: check all sorts of stuff, as described by: http://www.linuxjournal.com/article/9585

Ike Devolder ike.devolder at gmail.com
Mon Mar 19 16:29:06 EDT 2012 

Op maandag 19 maart 2012 21:06:59 schreef Lukas Fleischer:
> The AUR has a separate development mailing list (aur-dev). I will
> comment on your patch here but please send further patches to aur-dev.
> Thanks!
> 
> On Mon, Mar 19, 2012 at 08:39:03PM +0100, BlackEagle wrote:
> > Signed-off-by: BlackEagle <ike.devolder at gmail.com>
> > ---
> > 
> >  web/lib/aur.inc.php |   48
> >  +++++++++++++++++++++++++++++++++++++++++++++++-
> >  1 file changed, 47 insertions(+), 1 deletion(-)
> > 
> > diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
> > index c662b80..9b604fe 100644
> > --- a/web/lib/aur.inc.php
> > +++ b/web/lib/aur.inc.php
> > @@ -80,7 +80,53 @@ function check_sid($dbh=NULL) {
> > 
> >  # verify that an email address looks like it is legitimate
> >  #
> >  function valid_email($addy) {
> > 
> > -	return (filter_var($addy, FILTER_VALIDATE_EMAIL) !== false);
> > +	$isValid = true;
> > +	$atIndex = strrpos($addy, "@");
> > +	if (is_bool($atIndex) && !$atIndex) {
> > +		$isValid = false;
> > +	} else {
> > +		$domain = substr($addy, $atIndex+1);
> > +		$local = substr($addy, 0, $atIndex);
> > +		$localLen = strlen($local);
> > +		$domainLen = strlen($domain);
> > +		if ($localLen < 1 || $localLen > 64) {
> > +			// local part length exceeded
> > +			$isValid = false;
> > +		} elseif ($domainLen < 1 || $domainLen > 255) {
> > +			// domain part length exceeded
> > +			$isValid = false;
> > +		} elseif ($local[0] == '.' || $local[$localLen-1] == '.') {
> > +			// local part starts or ends with '.'
> > +			$isValid = false;
> > +		} elseif (preg_match('/\\.\\./', $local)) {
> > +			// local part has two consecutive dots
> > +			$isValid = false;
> > +		} elseif (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) {
> > +			// character not valid in domain part
> > +			$isValid = false;
> > +		} elseif (preg_match('/\\.\\./', $domain)) {
> > +			// domain part has two consecutive dots
> > +			$isValid = false;
> > +		} elseif (
> > +			!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/',
> > +			str_replace("\\\\","",$local))
> > +		) {
> > +			// character not valid in local part unless
> > +			// local part is quoted
> > +			if (
> > +				!preg_match('/^"(\\\\"|[^"])+"$/',
> > +				str_replace("\\\\","",$local))
> > +			) {
> > +				$isValid = false;
> > +			}
> > +		}
> 
> Thanks for coding this up, but what's the rationale behind it? Doesn't
> the FILTER_VALIDATE_EMAIL filter run most (all?) of these checks? I
> don't think we should try to be more clever than filter_var() here...
> 
> > +
> > +		if ($isValid && !(checkdnsrr($domain,"MX") || 
checkdnsrr($domain,"A")))
> > { +			// domain not found in DNS
> > +			$isValid = false;
> > +		}
> 
> This makes more sense to me but again, I don't really think this is
> useful/effective... Any spammers could just continue using random mail
> addresses as long as they provide "valid" domains (e.g. they could just
> use "$random_foo at archlinux.org"). If we really want to check mail
> addresses for validity, we probably need to send verification mails.
> 
> > +	}
> > +	return $isValid;
> > 
> >  }
> >  
> >  # a new seed value for mt_srand()
> > 
> > --
> > 1.7.9.4

drop this patch, it should be filter_var
i'll send a new patch to aur-dev

--Ike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-projects/attachments/20120319/fd15f67a/attachment.asc>

More information about the arch-projects mailing list