Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Email-Valid CPAN distribution.

Report information
The Basics
Id: 75650
Status: resolved
Priority: 0/
Queue: Email-Valid
People
Owner: Nobody in particular
Requestors: adam.prime [...] utoronto.ca
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Mar 09 11:55:38 2012 adam.prime [...] utoronto.ca - Ticket created
Subject: Possible XSS related issue with ->address
The following string will pass Email::Valid->address a<body/onload=alert('http://lol.com?'+document.cookies) @a.a> If rendered in a firefox and chrome unescaped, this will execute the embedded javascript. It's actual use for exploit is somewhat limited as it relies on the string getting rendered without escaping, and the javascript itself cannot contain any double quotes or semicolons (among other restrictions from email valid). oneliner: aprime@primepc:~$ perl -MEmail::Valid -e 'print Email::Valid->address(q[a<body/onload=alert('http://lol.com?'+document.cookies) @a.a>]) ? "yes" : "no", "\n"'; yes
  Wed Sep 04 21:27:02 2013 rjbs [...] cpan.org - Correspondence added
I guess the question is: but is it legal? I don't think so. "<" is a "special" and can't appear in the local part... but it can if it's quoted. I think there are two issues: 1) I don't think that should be legal 2) people should entity-escape all user input, which includes email addresses -- rjbs
  Wed Sep 04 21:27:02 2013 The RT System itself - Status changed from 'new' to 'open'
  Thu Sep 05 09:28:37 2013 adam.prime [...] utoronto.ca - Correspondence added
Subject: Re: [rt.cpan.org #75650] Possible XSS related issue with ->address
Date: Thu, 05 Sep 2013 09:22:21 -0400
To: bug-Email-Valid [...] rt.cpan.org
From: Adam Prime <adam.prime [...] utoronto.ca>
On 09/04/2013 09:27 PM, Ricardo Signes via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=75650 > > > I guess the question is: but is it legal? > > I don't think so. "<" is a "special" and can't appear in the local part... but it can if it's quoted. I think there are two issues: > > 1) I don't think that should be legal > 2) people should entity-escape all user input, which includes email addresses >
I absolutely agree with you. I filed the bug so that 1) could get fixed. I have a special hate for spaces in the local part also passing ->address, which is leveraged in the example. There are multiple reasons why the example shouldn't work, but it does. Adam
  Wed Mar 26 22:23:53 2014 rjbs [...] cpan.org - Correspondence added
Email::Valid accepts a mailbox specification, including phrase: $ perl -Ilib -MEmail::Valid -e 'print Email::Valid->address(q[Ricardo <rjbs@cpan.org>]) . "\n"'; rjbs@cpan.org That's why the <> were accepted: they accepted the whole mailbox, with "a" as the phrase and "...crazystuff.." as the addr-spec. Blech. My replacement for Email-Valid will have methods for just validating an address! -- rjbs
  Wed Mar 26 22:23:54 2014 rjbs [...] cpan.org - Status changed from 'open' to 'resolved'