Skip to content

D
doctrine-dbal
Commit c57cf249 authored by romanb's avatar romanb
Browse files
Options

Important security fix for the e-mail validator. The D modifier was missing in the pattern.

parent f2484d17
Hide whitespace changes
Inline Side-by-side
Showing with 80 additions and 80 deletions
lib/Doctrine/Validator/Email.php
View file @ c57cf249
<?php <?php
/* /*
* $Id$ * $Id$
* *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
* *
* This software consists of voluntary contributions made by many individuals * This software consists of voluntary contributions made by many individuals
* and is licensed under the LGPL. For more information, see * and is licensed under the LGPL. For more information, see
* <http://www.phpdoctrine.com>. * <http://www.phpdoctrine.com>.
*/ */
/** /**
* Doctrine_Validator_Email * Doctrine_Validator_Email
* *
* @package Doctrine * @package Doctrine
* @category Object Relational Mapping * @category Object Relational Mapping
* @license http://www.opensource.org/licenses/lgpl-license.php LGPL * @license http://www.opensource.org/licenses/lgpl-license.php LGPL
* @link www.phpdoctrine.com * @link www.phpdoctrine.com
* @since 1.0 * @since 1.0
* @version $Revision$ * @version $Revision$
* @author Konsta Vesterinen <kvesteri@cc.hut.fi> * @author Konsta Vesterinen <kvesteri@cc.hut.fi>
*/ */
class Doctrine_Validator_Email class Doctrine_Validator_Email
{ {
/** /**
* @link http://iamcal.com/publish/articles/php/parsing_email/pdf/ * @link http://iamcal.com/publish/articles/php/parsing_email/pdf/
* @param Doctrine_Record $record * @param Doctrine_Record $record
* @param string $key * @param string $key
* @param mixed $value * @param mixed $value
* @param string $args * @param string $args
* @return boolean * @return boolean
*/ */
public function validate(Doctrine_Record $record, $key, $value, $args) public function validate(Doctrine_Record $record, $key, $value, $args)
{ {
if (empty($value)) { if (empty($value)) {
return true; return true;
} }
if (isset($args[0])) { if (isset($args[0])) {
$parts = explode("@", $value); $parts = explode("@", $value);
if (isset($parts[1]) && function_exists("checkdnsrr")) { if (isset($parts[1]) && function_exists("checkdnsrr")) {
if ( ! checkdnsrr($parts[1], "MX")) { if ( ! checkdnsrr($parts[1], "MX")) {
return false; return false;
} }
} }
} }
$qtext = '[^\\x0d\\x22\\x5c\\x80-\\xff]'; $qtext = '[^\\x0d\\x22\\x5c\\x80-\\xff]';
$dtext = '[^\\x0d\\x5b-\\x5d\\x80-\\xff]'; $dtext = '[^\\x0d\\x5b-\\x5d\\x80-\\xff]';
$atom = '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+'; $atom = '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+';
$quoted_pair = '\\x5c[\\x00-\\x7f]'; $quoted_pair = '\\x5c[\\x00-\\x7f]';
$domain_literal = "\\x5b($dtext|$quoted_pair)*\\x5d"; $domain_literal = "\\x5b($dtext|$quoted_pair)*\\x5d";
$quoted_string = "\\x22($qtext|$quoted_pair)*\\x22"; $quoted_string = "\\x22($qtext|$quoted_pair)*\\x22";
$domain_ref = $atom; $domain_ref = $atom;
$sub_domain = "($domain_ref|$domain_literal)"; $sub_domain = "($domain_ref|$domain_literal)";
$word = "($atom|$quoted_string)"; $word = "($atom|$quoted_string)";
$domain = "$sub_domain(\\x2e$sub_domain)+"; $domain = "$sub_domain(\\x2e$sub_domain)+";
/* /*
following psudocode to allow strict checking - ask pookey about this if you're puzzled following psudocode to allow strict checking - ask pookey about this if you're puzzled
if ($this->getValidationOption('strict_checking') == true) { if ($this->getValidationOption('strict_checking') == true) {
$domain = "$sub_domain(\\x2e$sub_domain)*"; $domain = "$sub_domain(\\x2e$sub_domain)*";
} }
*/ */
$local_part = "$word(\\x2e$word)*"; $local_part = "$word(\\x2e$word)*";
$addr_spec = "$local_part\\x40$domain"; $addr_spec = "$local_part\\x40$domain";
return (bool)preg_match("!^$addr_spec$!", $value); return (bool)preg_match("!^$addr_spec$!D", $value);
} }
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment