Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EmailValidator catastrophic exponential-time regular expression #7757

Closed
vaadin-bot opened this issue Jul 19, 2016 · 5 comments
Closed

EmailValidator catastrophic exponential-time regular expression #7757

vaadin-bot opened this issue Jul 19, 2016 · 5 comments
Labels
bug Stale Stale bot label v7
Milestone

Comments

@vaadin-bot
Copy link
Collaborator

Originally by jtomaszk


Class com.vaadin.data.validator.EmailValidator is using unsafe validation regex

"^([a-zA-Z0-9_\\.\\-+])+@(([a-zA-Z0-9-])+\\.)+([a-zA-Z0-9]{2,4})+$"

example of potential malicious input that validation never ends:

a@a.m5qRt8zLxQG4mMeu9yKZm5qRt8zLxQG4mMeu9yKZm5qRt8zLxQG4mMeu9yKZ&

related info [http://www.regular-expressions.info/catastrophic.html]


Imported from https://dev.vaadin.com/ issue #20065

@vaadin-bot vaadin-bot added the bug label Dec 10, 2016
@fante76
Copy link

fante76 commented Jun 6, 2017

Current implementation on Vaadin8, gives validation error if value is an empty string, because it only test null value.

@cristian-aimi
Copy link

this second bug notificated by fante76 it's more serious because blocks the form tha has an EmailValidator inside. Would be better to fix the problem first as possible.

@stale
Copy link

stale bot commented Mar 19, 2018

Hello there!

It looks like this issue hasn't progressed lately. There are so many issues that we just can't deal them all within a reasonable timeframe.

There are a couple of things you could help to get things rolling on this issue (this is an automated message, so expect that some of these are already in use):

  • Check if the issue is still valid for the latest version. There are dozens of duplicates in our issue tracker, so it is possible that the issue is already tackled. If it appears to be fixed, close the issue, otherwise report to the issue that it is still valid.
  • Provide more details how to reproduce the issue.
  • Explain why it is important to get this issue fixed and politely draw others attention to it e.g. via the forum or social media.
  • Add a reduced test case about the issue, so it is easier for somebody to start working on a solution.
  • Try fixing the issue yourself and create a pull request that contains the test case and/or a fix for it. Handling the pull requests is the top priority for the core team.
  • If the issue is clearly a bug, use the Warranty in your Vaadin subscription to raise its priority.

Thanks again for your contributions! Even though we haven't been able to get this issue fixed, we hope you to report your findings and enhancement ideas in the future too!

@stale stale bot added the Stale Stale bot label label Mar 19, 2018
@stale
Copy link

stale bot commented Sep 12, 2020

The issue was automatically closed due to inactivity. If you found some new details to it or started working on it, comment on the issue so that maintainers can re-open it.

@stale stale bot closed this as completed Sep 12, 2020
@TatuLund TatuLund added the v7 label Sep 14, 2020
@TatuLund
Copy link
Contributor

For some reason this ticket has been left open although it has been addressed in Vaadin version 8 newer frameworks. The regexp pattern has been update to

private static final String PATTERN = "^" + "([a-zA-Z0-9_\\.\\-+])+" // local

I verified that problem with the given test pattern does not occur anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Stale Stale bot label v7
Projects
None yet
Development

No branches or pull requests

5 participants