dm-validations :email_format matches emails without a TLD
Reported by aferra (at gmail) | February 15th, 2010 @ 03:31 PM | in 1.1
When validating the value of a property against the :email_address format provided by dm-validations, the string 'user@notatld' is considered valid.
Since users will assume that the format only matches web-safe email address, this could allow bad input into the database.
Here's my spec:
http://gist.github.com/305005
For convenience, here's a transcript of my conversation with
dkubb on the matter:
http://gist.github.com/305011
Comments and changes to this ticket
-
Evan Reeves August 24th, 2010 @ 06:59 PM
- Milestone order changed from “0” to “0”
Is there any expected movement with this bug? We have a number of applications that rely on this built-in validation.
-
Martin Gamsjaeger (snusnu) October 29th, 2010 @ 03:57 PM
- State changed from “new” to “confirmed”
- Milestone set to “1.1”
- Milestone order changed from “195857” to “0”
-
Andrew Kolesnikov November 7th, 2010 @ 01:45 PM
Evan,
Technically, your spec isn't correct. Emails like foo@bar are valid.
-
Xavier Shay November 24th, 2010 @ 04:45 PM
- Assigned user set to “Xavier Shay”
Andrew, your concern is addressed in the conversation linked to.
I'll look at putting together a fix. -
Xavier Shay November 25th, 2010 @ 02:10 AM
I don't have commit rights to dm-validations, but have forked and created a patch:
https://github.com/xaviershay/dm-validations/tree/email_fixCould someone please review and merge.
-
Dan Kubb (dkubb) November 25th, 2010 @ 05:37 AM
- State changed from “confirmed” to “resolved”
(from [413cd0cba618700807f8a94be215fae18898682f]) Modify the :email_address format to fail on local addresses. Here is the IRC discussion that led to this decision (circa Feb 2010):
conekt: question... can you think of a case where 'user@something' without a .com would be a valid email?
conekt: or a .anything...
dkubb: some internal email systems would accept it, but for it to be routed internet you would need a valid tld
conekt: apparently :format => :email_address allows that...
dkubb: a valid tld being a gTLD, ccTLD or arpa
conekt: agreed, but if my intention is to validate user input in a web application, that feels like bad input just waiting to happen
dkubb: hmm, that is probably a bug. can you submit a ticket with that problem?
conekt: sure, I agree with the current implementation in principal... maybe if :email_address only matched web friendly examples and there was another built in pattern that would matching those other cases that would blow up on the web
conekt: for the issue, you want the whole example file with specs and everything I assume?
dkubb: the email address regexp matches emails according to the RFC's, except the RFC's are more generic than what an internet email address looks like. IMHO we should match internet email addresses
dkubb: reduced specs are always a bonus. it bumps the tickets most to the front of the queue
conekt: agreed, and then we can have a :rfc_compliant_email_address format or something :)
conekt: :pedantic_email_format :)
dkubb: I would probably defer that too until it's asked for. I would guess 99.9% of the people using it want internet email addresses to be the default
conekt: wholly agreed
conekt: cool, I'll post that at some point today[#1200 state:resolved] https://github.com/datamapper/dm-validations/commit/413cd0cba618700...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
People watching this ticket
aferra (at gmail)
Martin Gamsjaeger (snusnu)
Xavier Shay
Tags
Referenced by
-
1200
dm-validations :email_format matches emails without a TLD
[#1200 state:resolved]
https://github.com/datamapper/dm-...