New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validation::_pattern['hostname'] matches dotted "domain" names, not "hostnames". #2477
Comments
Unless it changed, this is the regexp used for
Surely building on these existing checks in this extension would be more coherent with the language itself. As per the docs: The filter extension is enabled by default as of PHP 5.2.0. Before this time an experimental PECL extension was used, however, the PECL version is no longer recommended or updated. So it fits within the CakePHP 2.x requirements constraints. Wheels don't need reinventing. |
The Cake Validation class doesn't seem to be using that for email checks (at least not in the master branch.) It's using the In any case, are you suggesting that the solution is to switch to |
Go for it, that's exactly what I'm suggesting, build upon the tools already exposed via the implementation language (PHP). There are also |
Targeting 2.5 I assume then? |
This has come up in the past. Last time this came around we decided to go with the more pragmatic validation vs. more theoretically correct validation. For example on a user registration system I think the majority of email addresses people want to validate are publicly accessible ones. While internal mailboxes are very useful, I don't think they are the dominant use case for CakePHP. |
I don't disagree at all, but then core components like CakeEmail need to somehow allow for special-casing their developer-facing validation. My |
@beporter in light of the feedback from @markstory I would think a strategy around the validation (like you suggest) would be in order, to switch out the underlying checks performed. That, or a way to extend the validation system, which currently doesn't exist beyond extending the |
@markstory: The implementation of HTML5 form validation for I recognize the case you are making, and I even agree with it in an end-user context, but I continue to maintain that the same artificially-limited validation should not be forced upon Cake developers. I am at a loss to suggest a reasonable compromise when it comes to @jameswatts: I appreciate the suggestion, but as it stands I can either:
None of these fill me with joy, I'm afraid. Thanks for the time, gentlemen. I appreciate it. |
The method you mentioned in CakeEmail was added exactly for this kind of situation. Exposing it to the config file might be nice. We can't really force the browsers to change, as the RFC does cite |
@beporter maybe a PR to allow it via configuration here -> https://github.com/cakephp/cakephp/blob/master/lib/Cake/Network/Email/CakeEmail.php#L1185 |
What about adding a new validation method that does more relaxed/rfc compliant validation? I don't really like the idea of adding more boolean parameters to a method that already has one, it makes reading code harder. A separate method would allow people to opt into the behaviour they want. |
Either way is fine with me. My main concern is that CakeEmail is essentially an MUA and if you would (rightly) object to Mail.app stopping you from sending an email to This will mean that the default user-facing validation will remain as-is, safe-guarding the majority of addresses passed into CakeEmail, but at the same time would resolve the issue both when using local domain-parts in If we're all in agreement, I'll work on a PR. I am also open to appropriate names for the new Validation method, as adjectives such as "strict" imply more restrictions even though in this case, "strict matching" represents fewer restrictions. There are similar issues with, "_permissive", "_relaxed", "_accurate", etc. Maybe something like |
I think having CakeEmail accept addresses like As for a method name, |
I would actually remove the use of the |
@lorenzo That sound's pretty reasonable 👍. |
That works for me, we should continue to allow custom patterns as well though. They are important for the Japanese community, as there are a few isps in japan that have non-compliant addresses that work. |
Looking at the |
@ADmad That would apply if the project was on 2.4, yes. It is not (yet), although this thread is starting to become more of an investment than the upgrade process. (I kid!) It also sidesteps the fact that the validation is simply incorrect. I happily concede @markstory's point about the benefits of being more restrictive with user-facing email validation, but @josegonzalez (corrected) recently emailed us folks at @loadsys soliciting feedback for the future of Cake. This I feel is one small suggestion I can offer so far. And since neither the custom regex, nor any PR I might submit here will help me with my current project directly, I hope that my argument can be taken as reasonably unbiased. |
So upgrade to 2.4 :)
It's not incorrect, it's intentionally restrictive by default. The custom regex is not a workaround but rather a feature to customize it to suit your needs. As @markstory pointed out few japanese ISPs actually use non-compliant email ids. So you can see even following RFC is not always enough to please everybody.
Your feedback is very welcome and based of that we might probably change the default validation inside CakeEmail in 2.5. As for your current problem we can't make retrospective changes to whatever cake version you are using can we? If you update to 2.4 its just a matter of adding a single line in your email config file with the custom regex to solve your problem. |
I did investigate upgrading to 2.4 early on but in this case it seems for some reason to be non-trivial and will require appropriate planning. That is in no way your problem though and is orthogonal to this conversation. As I said; I'm here because I think Cake needs repair, not because I'm going to get a solution to my immediate problem out of it. I'm happy to do the PR for the CakeEmail changes to |
I think filter_var + an override so the japanese people can get their non-compliant addresses to work would be great. |
@beporter Guess what |
I wasn't the one that suggested filter_var as a fix, just for reference. Seeing as @ADmad's already done the PR, I think we're done here. Thanks again guys. |
Ref:
Utility/Validation.php#L42
.There is no requirement that a hostname or an email address's domain part use a fully qualified, internet-resolvable DNS name. It's therefore incorrect behavior to reject a hostname like
mylocalserver
that does not contain a dot. This also has implications (at least) forValidation::email()
, which incorrectly rejects addresses likebeporter@localhost
-- an address that is valid per RFC 2822.The bottom line is that it's not appropriate to validate "hostnames" solely as "domain" names. I put together some samples using the current regex (link corrected) to illustrate. I feel like the argument though is really whether Cake is better off following common (but incorrect) validation practices, or following the letter of the RFC(s) at the expense of causing incompatibility with other apps and systems that aren't validating correctly.
PS: This post came about because I put
'from' => 'beporter@localhost'
in myConfig/email.php
and got an error even though mail sent to beporter@localhost would have been properly routed and delivered by my local MTA.The text was updated successfully, but these errors were encountered: