Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Email-Valid CPAN distribution.

Report information
The Basics
Id: 75650
Status: resolved
Priority: 0/
Queue: Email-Valid

People
Owner: Nobody in particular
Requestors: adam.prime [...] utoronto.ca
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Possible XSS related issue with ->address
The following string will pass Email::Valid->address a<body/onload=alert('http://lol.com?'+document.cookies) @a.a> If rendered in a firefox and chrome unescaped, this will execute the embedded javascript. It's actual use for exploit is somewhat limited as it relies on the string getting rendered without escaping, and the javascript itself cannot contain any double quotes or semicolons (among other restrictions from email valid). oneliner: aprime@primepc:~$ perl -MEmail::Valid -e 'print Email::Valid->address(q[a<body/onload=alert('http://lol.com?'+document.cookies) @a.a>]) ? "yes" : "no", "\n"'; yes
I guess the question is: but is it legal? I don't think so. "<" is a "special" and can't appear in the local part... but it can if it's quoted. I think there are two issues: 1) I don't think that should be legal 2) people should entity-escape all user input, which includes email addresses -- rjbs
Subject: Re: [rt.cpan.org #75650] Possible XSS related issue with ->address
Date: Thu, 05 Sep 2013 09:22:21 -0400
To: bug-Email-Valid [...] rt.cpan.org
From: Adam Prime <adam.prime [...] utoronto.ca>
On 09/04/2013 09:27 PM, Ricardo Signes via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=75650 > > > I guess the question is: but is it legal? > > I don't think so. "<" is a "special" and can't appear in the local part... but it can if it's quoted. I think there are two issues: > > 1) I don't think that should be legal > 2) people should entity-escape all user input, which includes email addresses >
I absolutely agree with you. I filed the bug so that 1) could get fixed. I have a special hate for spaces in the local part also passing ->address, which is leveraged in the example. There are multiple reasons why the example shouldn't work, but it does. Adam
Email::Valid accepts a mailbox specification, including phrase: $ perl -Ilib -MEmail::Valid -e 'print Email::Valid->address(q[Ricardo <rjbs@cpan.org>]) . "\n"'; rjbs@cpan.org That's why the <> were accepted: they accepted the whole mailbox, with "a" as the phrase and "...crazystuff.." as the addr-spec. Blech. My replacement for Email-Valid will have methods for just validating an address! -- rjbs