#1200 ✓resolved
aferra (at gmail)

dm-validations :email_format matches emails without a TLD

Reported by aferra (at gmail) | February 15th, 2010 @ 03:31 PM | in 1.1

When validating the value of a property against the :email_address format provided by dm-validations, the string 'user@notatld' is considered valid.

Since users will assume that the format only matches web-safe email address, this could allow bad input into the database.

Here's my spec:

For convenience, here's a transcript of my conversation with dkubb on the matter:

Comments and changes to this ticket

  • Evan Reeves

    Evan Reeves August 24th, 2010 @ 06:59 PM

    • Milestone order changed from “0” to “0”

    Is there any expected movement with this bug? We have a number of applications that rely on this built-in validation.

  • Martin Gamsjaeger (snusnu)

    Martin Gamsjaeger (snusnu) October 29th, 2010 @ 03:57 PM

    • State changed from “new” to “confirmed”
    • Milestone set to 1.1
    • Milestone order changed from “195857” to “0”
  • Andrew Kolesnikov

    Andrew Kolesnikov November 7th, 2010 @ 01:45 PM


    Technically, your spec isn't correct. Emails like foo@bar are valid.

  • Xavier Shay

    Xavier Shay November 24th, 2010 @ 04:45 PM

    • Assigned user set to “Xavier Shay”

    Andrew, your concern is addressed in the conversation linked to.
    I'll look at putting together a fix.

  • Xavier Shay

    Xavier Shay November 25th, 2010 @ 02:10 AM

    I don't have commit rights to dm-validations, but have forked and created a patch:

    Could someone please review and merge.

  • Dan Kubb (dkubb)

    Dan Kubb (dkubb) November 25th, 2010 @ 05:37 AM

    • State changed from “confirmed” to “resolved”

    (from [413cd0cba618700807f8a94be215fae18898682f]) Modify the :email_address format to fail on local addresses. Here is the IRC discussion that led to this decision (circa Feb 2010):

    conekt: question... can you think of a case where 'user@something' without a .com would be a valid email?
    conekt: or a .anything...
    dkubb: some internal email systems would accept it, but for it to be routed internet you would need a valid tld
    conekt: apparently :format => :email_address allows that...
    dkubb: a valid tld being a gTLD, ccTLD or arpa
    conekt: agreed, but if my intention is to validate user input in a web application, that feels like bad input just waiting to happen
    dkubb: hmm, that is probably a bug. can you submit a ticket with that problem?
    conekt: sure, I agree with the current implementation in principal... maybe if :email_address only matched web friendly examples and there was another built in pattern that would matching those other cases that would blow up on the web
    conekt: for the issue, you want the whole example file with specs and everything I assume?
    dkubb: the email address regexp matches emails according to the RFC's, except the RFC's are more generic than what an internet email address looks like. IMHO we should match internet email addresses
    dkubb: reduced specs are always a bonus. it bumps the tickets most to the front of the queue
    conekt: agreed, and then we can have a :rfc_compliant_email_address format or something :)
    conekt: :pedantic_email_format :)
    dkubb: I would probably defer that too until it's asked for. I would guess 99.9% of the people using it want internet email addresses to be the default
    conekt: wholly agreed
    conekt: cool, I'll post that at some point today

    [#1200 state:resolved] https://github.com/datamapper/dm-validations/commit/413cd0cba618700...

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Referenced by