Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No server side email validation before sending verification mail #4158

Closed
mkrogh opened this issue Nov 18, 2019 · 1 comment
Closed

No server side email validation before sending verification mail #4158

mkrogh opened this issue Nov 18, 2019 · 1 comment
Assignees
Labels
bug
Milestone

Comments

@mkrogh
Copy link

@mkrogh mkrogh commented Nov 18, 2019

Describe the bug
Indico does not validate the email addresses on the server side, before sending out a verification email, leading to local mail delivery in some cases.
This is a problem when spam bots come by, looking for xss.

To Reproduce

  1. Go to '/register/'
  2. Input msgbox("foo");window.alert('bar');
  3. Disable form validation by changing type=email to type=text
  4. Then click 'Send me a verification email'
  5. Check the local delivery mailboxes for foo <msgbox@SERVER ;> and bar <window.alert@SERVER ;>

Expected behavior
Indico should not send verification mails to local mailboxes, and should check the email serverside.
At least check if the mail contains a @.

Other examples are mails sendt to the support users about not being able to send the verification mails:

2019-11-17 02:55:02,560  0000000000000000  indico.emails - ERROR emails.py:52 -- Could not send email "[Indico] Verify your email" (attempt 10/10); giving up [{u'!--#execcmd="dir"--': (501, '5.1.3 Bad recipient address syntax')}]; stored data in /opt/indico/tmp/failed-email-2019-11-17-wqpBY0
2019-11-17 02:38:16,055  0000000000000000  indico.emails - ERROR emails.py:52 -- Could not send email "[Indico] Verify your email" (attempt 10/10); giving up [Header values can't contain newlines (got u'<script\n>alert(110);</script\n>' for header u'To')]; stored data in /opt/indico/tmp/failed-email-2019-11-17-LJp7Vk
@ThiefMaster

This comment has been minimized.

Copy link
Member

@ThiefMaster ThiefMaster commented Nov 18, 2019

The general consensus on email validation is that one should just try sending an email instead of trying to do any in-depth validation. However, you are correct that the "simple" email validator (which would cover something as obviously-wrong as your test input) is missing on those fields. So we'll fix that in the next version.

@ThiefMaster ThiefMaster added the bug label Nov 18, 2019
@ThiefMaster ThiefMaster added this to the v2.2 milestone Nov 18, 2019
@ThiefMaster ThiefMaster self-assigned this Nov 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.