Vote #81909
未完了EmailAddress regex matches invalid email addresses
0%
説明
There is a regex in the @EmailAddress@ class, that matches some invalid email address like these:
test,email@example.com ,test@example.com $test@example.com
class EmailAddress < ActiveRecord::Base
include Redmine::SafeAttributes
EMAIL_REGEXP = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+(?:(?:xn--[-a-z0-9]+)|(?:[a-z]{2,})))\z/i
May be better to use @URI::MailTo::EMAIL_REGEXP@ instead.
journals
Setting the target version to 5.1.0.
--------------------------------------------------------------------------------
Added a test to the patch.
--------------------------------------------------------------------------------
This effectively changes @EmailAddress::EMAIL_REGEXP@ from:
<pre><code class="ruby">
/\A([^@\s]+)@((?:[-a-z0-9]+\.)+(?:(?:xn--[-a-z0-9]+)|(?:[a-z]{2,})))\z/i
</code></pre>to:
<pre><code class="ruby">
/\A[a-zA-Z0-9.!\#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\z/
</code></pre>as @URI::MailTo::EMAIL_REGEXP@ is defined as such in the Ruby source (https://github.com/ruby/ruby/blob/master/lib/uri/mailto.rb#L55).
This definition is effectively a Ruby port[1] of the JavaScript- and Perl-compatible regex example given in the "HTML Living Standard":https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address:
<pre><code class="js">
/^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/
</code></pre>
Some quick notes on this change:
* it fixes the cases of the first two email address examples, but @$test@example.com@ still matches (and a little search will probably give more edge-cases);
* the current custom regex includes capture groups while @URI::MailTo::EMAIL_REGEXP@ doesn't (which changes the return value in some cases and thus may break plugins that depend on the current value of @EmailAddress::EMAIL_REGEXP@) e.g.:
<pre>
'test@example.com'.match(EmailAddress::EMAIL_REGEXP)
=> #<MatchData "test@example.com" 1:"test" 2:"example.com">
'test@example.com'.match(URI::MailTo::EMAIL_REGEXP)
=> #<MatchData "test@example.com">
</pre>
* given the previous note, this might be something that should be shipped in a major release (6.0.0) instead of a minor release (5.1.0).
fn1. https://github.com/ruby/ruby/blob/master/lib/uri/mailto.rb#L54
--------------------------------------------------------------------------------
Mischa The Evil wrote:
> * given the previous note, this might be something that should be shipped in a major release (6.0.0) instead of a minor release (5.1.0).
I don't think the change should be delivered in 6.0.0 instead of 5.1.0.
In Redmine, the change of version number from 5.0.0 to 5.1.0 is not a minor release but a major release. For example, when the version number changed from 3.0.0 to 3.1.0 or from 4.0.0 to 4.1.0, many new features were added and some plugins stopped working.
If this change cannot be delivered in 5.1.0 due to plugin compatibility, I am afraid that 5.1.0 can only include a few bug fixes and cannot include any new features.
--------------------------------------------------------------------------------
Admin Redmine さんが約2年前に更新
- カテゴリ を Accounts / authentication_7 にセット
- 対象バージョン を 5.1.0_176 にセット