mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-10-30 22:11:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: properly validate email containing comments

Browse source 
Originally reported by jomo (https://jomo.tv). A malicious actor could
register with an email address containing a comment, for example
"attacker@evil (comment@broken)". This commit fixes this issue by only
operating on normalized email addresses.

Signed-off-by: famfo <famfo@famfo.xyz>
This commit is contained in:
famfo 2025-08-23 01:57:20 +02:00 committed by Earl Warren
commit cf1fda81f6
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/validation/email.go
View file

@ -80,8 +80,15 @@ func validateEmailDomain(email string) error {
} }
func IsEmailDomainAllowed(email string) bool { func IsEmailDomainAllowed(email string) bool {
// Normalized the address. This strips for example comments which could be
// used to smuggle a different domain
parsedAddress, err := mail.ParseAddress(email)
if err != nil {
return false
}
return isEmailDomainAllowedInternal( return isEmailDomainAllowedInternal(
email, parsedAddress.Address,
setting.Service.EmailDomainAllowList, setting.Service.EmailDomainAllowList,
setting.Service.EmailDomainBlockList) setting.Service.EmailDomainBlockList)
} }