From cf1fda81f6ac21088dd575a7294a96be8a2155b0 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Sat, 23 Aug 2025 01:57:20 +0200
Subject: [PATCH] fix: properly validate email containing comments

Originally reported by jomo (https://jomo.tv). A malicious actor could
register with an email address containing a comment, for example
"attacker@evil (comment@broken)". This commit fixes this issue by only
operating on normalized email addresses.

Signed-off-by: famfo <famfo@famfo.xyz>
---
 modules/validation/email.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/validation/email.go b/modules/validation/email.go
index 8e1ffc203d..6782be4e2a 100644
--- a/modules/validation/email.go
+++ b/modules/validation/email.go
@@ -80,8 +80,15 @@ func validateEmailDomain(email string) error {
 }
 
 func IsEmailDomainAllowed(email string) bool {
+	// Normalized the address. This strips for example comments which could be
+	// used to smuggle a different domain
+	parsedAddress, err := mail.ParseAddress(email)
+	if err != nil {
+		return false
+	}
+
 	return isEmailDomainAllowedInternal(
-		email,
+		parsedAddress.Address,
 		setting.Service.EmailDomainAllowList,
 		setting.Service.EmailDomainBlockList)
 }