Make e-mail sanity check more precise (#20991)

balanceofcowards · Andreas Fischer · 6543 · web-flow · commit 9862936ed3f4 · 2022-10-11T22:44:09.000-04:00
For security reasons, all e-mail addresses starting with
non-alphanumeric characters were rejected. This is too broad and rejects
perfectly valid e-mail addresses. Only leading hyphens should be
rejected -- in all other cases e-mail address specification should
follow RFC 5322.

Co-authored-by: Andreas Fischer &lt;_@ndreas.de&gt;
Co-authored-by: 6543 &lt;6543@obermui.de&gt;
Co-authored-by: zeripath &lt;art27@cantab.net&gt;
Co-authored-by: techknowlogick &lt;techknowlogick@gitea.io&gt;
diff --git a/models/user/email_address.go b/models/user/email_address.go
@@ -41,6 +41,7 @@ func (err ErrEmailCharIsNotSupported) Error() string {
 }
 
 // ErrEmailInvalid represents an error where the email address does not comply with RFC 5322
+// or has a leading '-' character
 type ErrEmailInvalid struct {
 	Email string
 }
@@ -134,9 +135,7 @@ func ValidateEmail(email string) error {
 		return ErrEmailCharIsNotSupported{email}
 	}
 
-	if !(email[0] >= 'a' && email[0] <= 'z') &&
-		!(email[0] >= 'A' && email[0] <= 'Z') &&
-		!(email[0] >= '0' && email[0] <= '9') {
+	if email[0] == '-' {
 		return ErrEmailInvalid{email}
 	}
 
diff --git a/models/user/email_address_test.go b/models/user/email_address_test.go
@@ -281,23 +281,25 @@ func TestEmailAddressValidate(t *testing.T) {
 		`first~last@iana.org`:            nil,
 		`first;last@iana.org`:            user_model.ErrEmailCharIsNotSupported{`first;last@iana.org`},
 		".233@qq.com":                    user_model.ErrEmailInvalid{".233@qq.com"},
-		"!233@qq.com":                    user_model.ErrEmailInvalid{"!233@qq.com"},
-		"#233@qq.com":                    user_model.ErrEmailInvalid{"#233@qq.com"},
-		"$233@qq.com":                    user_model.ErrEmailInvalid{"$233@qq.com"},
-		"%233@qq.com":                    user_model.ErrEmailInvalid{"%233@qq.com"},
-		"&233@qq.com":                    user_model.ErrEmailInvalid{"&233@qq.com"},
-		"'233@qq.com":                    user_model.ErrEmailInvalid{"'233@qq.com"},
-		"*233@qq.com":                    user_model.ErrEmailInvalid{"*233@qq.com"},
-		"+233@qq.com":                    user_model.ErrEmailInvalid{"+233@qq.com"},
-		"/233@qq.com":                    user_model.ErrEmailInvalid{"/233@qq.com"},
-		"=233@qq.com":                    user_model.ErrEmailInvalid{"=233@qq.com"},
-		"?233@qq.com":                    user_model.ErrEmailInvalid{"?233@qq.com"},
-		"^233@qq.com":                    user_model.ErrEmailInvalid{"^233@qq.com"},
-		"`233@qq.com":                    user_model.ErrEmailInvalid{"`233@qq.com"},
-		"{233@qq.com":                    user_model.ErrEmailInvalid{"{233@qq.com"},
-		"|233@qq.com":                    user_model.ErrEmailInvalid{"|233@qq.com"},
-		"}233@qq.com":                    user_model.ErrEmailInvalid{"}233@qq.com"},
-		"~233@qq.com":                    user_model.ErrEmailInvalid{"~233@qq.com"},
+		"!233@qq.com":                    nil,
+		"#233@qq.com":                    nil,
+		"$233@qq.com":                    nil,
+		"%233@qq.com":                    nil,
+		"&233@qq.com":                    nil,
+		"'233@qq.com":                    nil,
+		"*233@qq.com":                    nil,
+		"+233@qq.com":                    nil,
+		"-233@qq.com":                    user_model.ErrEmailInvalid{"-233@qq.com"},
+		"/233@qq.com":                    nil,
+		"=233@qq.com":                    nil,
+		"?233@qq.com":                    nil,
+		"^233@qq.com":                    nil,
+		"_233@qq.com":                    nil,
+		"`233@qq.com":                    nil,
+		"{233@qq.com":                    nil,
+		"|233@qq.com":                    nil,
+		"}233@qq.com":                    nil,
+		"~233@qq.com":                    nil,
 		";233@qq.com":                    user_model.ErrEmailCharIsNotSupported{";233@qq.com"},
 		"Foo <foo@bar.com>":              user_model.ErrEmailCharIsNotSupported{"Foo <foo@bar.com>"},
 		string([]byte{0xE2, 0x84, 0xAA}): user_model.ErrEmailCharIsNotSupported{string([]byte{0xE2, 0x84, 0xAA})},

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ func (err ErrEmailCharIsNotSupported) Error() string {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`// ErrEmailInvalid represents an error where the email address does not comply with RFC 5322`
	`44`	`+// or has a leading '-' character`
`44`	`45`	`type ErrEmailInvalid struct {`
`45`	`46`	`Email string`
`46`	`47`	`}`
`@@ -134,9 +135,7 @@ func ValidateEmail(email string) error {`
`134`	`135`	`return ErrEmailCharIsNotSupported{email}`
`135`	`136`	`}`
`136`	`137`
`137`		`- if !(email[0] >= 'a' && email[0] <= 'z') &&`
`138`		`- !(email[0] >= 'A' && email[0] <= 'Z') &&`
`139`		`- !(email[0] >= '0' && email[0] <= '9') {`
	`138`	`+ if email[0] == '-' {`
`140`	`139`	`return ErrEmailInvalid{email}`
`141`	`140`	`}`
`142`	`141`
-Original file line number
+Diff line change
 		`[email protected]`:            nil,
 		`first;[email protected]`:            user_model.ErrEmailCharIsNotSupported{`first;[email protected]`},
 		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 -		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 -		"#[email protected]":                    user_model.ErrEmailInvalid{"#[email protected]"},
 -		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 -		"%[email protected]":                    user_model.ErrEmailInvalid{"%[email protected]"},
 -		"&[email protected]":                    user_model.ErrEmailInvalid{"&[email protected]"},
 -		"'[email protected]":                    user_model.ErrEmailInvalid{"'[email protected]"},
 -		"*[email protected]":                    user_model.ErrEmailInvalid{"*[email protected]"},
 -		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 -		"/[email protected]":                    user_model.ErrEmailInvalid{"/[email protected]"},
 -		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 -		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 -		"^[email protected]":                    user_model.ErrEmailInvalid{"^[email protected]"},
 -		"`[email protected]":                    user_model.ErrEmailInvalid{"`[email protected]"},
 -		"{[email protected]":                    user_model.ErrEmailInvalid{"{[email protected]"},
 -		"|[email protected]":                    user_model.ErrEmailInvalid{"|[email protected]"},
 -		"}[email protected]":                    user_model.ErrEmailInvalid{"}[email protected]"},
 -		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 +		"[email protected]":                    nil,
 +		"#[email protected]":                    nil,
 +		"[email protected]":                    nil,
 +		"%[email protected]":                    nil,
 +		"&[email protected]":                    nil,
 +		"'[email protected]":                    nil,
 +		"*[email protected]":                    nil,
 +		"[email protected]":                    nil,
 +		"[email protected]":                    user_model.ErrEmailInvalid{"[email protected]"},
 +		"/[email protected]":                    nil,
 +		"[email protected]":                    nil,
 +		"[email protected]":                    nil,
 +		"^[email protected]":                    nil,
 +		"[email protected]":                    nil,
 +		"`[email protected]":                    nil,
 +		"{[email protected]":                    nil,
 +		"|[email protected]":                    nil,
 +		"}[email protected]":                    nil,
 +		"[email protected]":                    nil,
 		";[email protected]":                    user_model.ErrEmailCharIsNotSupported{";[email protected]"},
 		"Foo <[email protected]>":              user_model.ErrEmailCharIsNotSupported{"Foo <[email protected]>"},
 		string([]byte{0xE2, 0x84, 0xAA}): user_model.ErrEmailCharIsNotSupported{string([]byte{0xE2, 0x84, 0xAA})},