From 403539919a9a5b1e3e2ac9725a3b8b17403b2935 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Mon, 8 Jan 2024 11:16:45 +0100 Subject: Improve the validate_email function The validate_email function relied on doing an actual domain lookup (on supported platforms) to validate the domain of the email address. This does not work too well in testing environments where we may not want to spam the DNS system, if it at all is available. Apart from the the function did very little to actually verify that it was a valid email address. This patch tries to change that by usng a somewhat stricted regex based validation. While this may not be perfect, it should be good enough in the vast majority of cases. For platforms where no validation was performed with the old version, it will at least be an improvement. Also, it allows testing without having an external network connection. Also clarify the doc comment, that it does not actually try to resolve the email address, just the domain. --- include/network.php | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) (limited to 'include/network.php') diff --git a/include/network.php b/include/network.php index f5c5303b3..c5411e702 100644 --- a/include/network.php +++ b/include/network.php @@ -591,23 +591,30 @@ function validate_url(&$url) { } /** - * @brief Checks that email is an actual resolvable internet address. + * @brief Checks that email is valid, and that the domain resolves. * - * @param string $addr - * @return boolean + * Note: This does not try to check that the actual email address will resolve, + * only the domain! + * + * @param string $addr The email address to validate. + * @return boolean True if email is valid, false otherwise. */ -function validate_email($addr) { +function validate_email(string $addr): bool { if(get_config('system', 'disable_email_validation')) return true; - if(! strpos($addr, '@')) - return false; - - $h = substr($addr, strpos($addr, '@') + 1); + $matches = array(); + $result = preg_match( + '/^[A-Z0-9._%-]+@([A-Z0-9.-]+\.[A-Z0-9-]{2,})$/i', + punify($addr), + $matches); - if(($h) && z_dns_check($h, true)) { - return true; + if($result) { + $domain = $matches[1]; + if(($domain) && z_dns_check($domain, true)) { + return true; + } } return false; -- cgit v1.2.3