View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000517 | Main CAcert Website | GPG/PGP | public | 2008-03-14 16:42 | 2013-01-15 02:12 |
| Reporter | ph3 | Assigned To | |||
| Priority | normal | Severity | crash | Reproducibility | have not tried |
| Status | closed | Resolution | open | ||
| Fixed in Version | 2009 Q2 | ||||
| Summary | 0000517: Can get any UUCP Style email address signed | ||||
| Description | I have a OpenPGP key with _two_ UUCP style E-Mail addresses. The system said: # Name Email Result 1 Error: Both Name and Email address are empty 2 Philipp Schafft The name is OK. The email is empty. 3 Philipp Schafft The name is OK. The email is empty. The systems seems to forget about them as they seems to be invalid. | ||||
| Additional Information | UUCP Style E-Mail addresses are addresses in form 'host!user'. They _ARE_ sitll valid even outside UUCP ans supported by all MTAs I know. The major benefit is that spambots don't find them :) Consider you check email addys by a regex like this one: /^([^\@]+)\@(.+)$/ and use $1 as the username and $2 as the host part you may use this to check uucp style addresses: /^([^\!]+)\!([^\!]+)$/ and use $1 as the host and $2 as the username. You also can use this regex to convert it: s/^([^\!]+)\!([^\!]+)$/$2\@$1/; | ||||
| Tags | No tags attached. | ||||
| Attached Files | gpg.patch (2,697 bytes)
--- gpg.php.orig 2009-04-09 14:58:20.000000000 +0200
+++ gpg.php 2009-04-09 14:59:32.000000000 +0200
@@ -116,38 +116,11 @@
if($bits[6] != "")
$expires = 1;
}
- //if(!strstr($line, "@")) continue;
-
-
-
- $pos = strpos($bits[9], "(") - 1;
- $nocomment = 0;
- if($pos < 0)
- {
- $nocomment = 1;
- $pos = strpos($bits[9], "<") - 1;
- }
- if($pos < 0)
- {
- $pos = strlen($bits[9]);
- }
- $name = trim(hex2bin(trim(substr($bits[9], 0, $pos))));
- $nameok=verifyName($name);
- $resulttable.="<td bgcolor='#".($nameok?"c0ffc0":"ffc0c0")."'>$name</td>";
-
-
- if($nocomment == 0 && (strpos($bits[9],")")>$pos))
- {
- $pos += 2;
- $pos2 = strpos($bits[9], ")");
- $comm = trim(hex2bin(trim(substr($bits[9], $pos, $pos2 - $pos))));
- if($comm != "")
- $comment[] = $comm;
- $pos = $pos2 + 3;
- } else {
- $pos = strpos($bits[9], "<") + 1;
- }
+ $name="";
+ $comm="";
$mail="";
+ $uidformatwrong=0;
+
if(preg_match("/\@.*\@/",$bits[9]))
{
showheader(_("Welcome to CAcert.org"));
@@ -158,23 +131,46 @@
unset($oldid);
exit();
}
- if (preg_match("/<([\w.-]*\@[\w.-]*)>/", $bits[9],$match)) {
- //echo "Found: ".$match[1];
- $mail = trim(hex2bin($match[1]));
+
+
+ if(preg_match("/^([^\(\[@]+) \(([^@<>)]*)\) <([\w=\/%.-]*\@[\w.-]*|[\w.-]*\![\w=\/%.-]*)>/",$bits[9],$matches))
+ {
+ $name=trim(hex2bin($matches[1]));
+ $nameok=verifyName($name);
+ $nocomment=0;
+ $comm=trim(hex2bin($matches[2]));
+ $mail=trim(hex2bin($matches[3]));
+ }
+ elseif(preg_match("/^([^\(\[@]+) <([\w=\/%.-]*\@[\w.-]*|[\w.-]*\![\w=\/%.-]*)>/",$bits[9],$matches))
+ {
+ $name=trim(hex2bin($matches[1]));
+ $nocomment=1;
+ $mail=trim(hex2bin($matches[2]));
}
else
{
- //echo "Not found!\n";
+ $nocomment=1;
+ $uidformatwrong=1;
}
-
+ $nameok=verifyName($name);
$emailok=verifyEmail($mail);
- $resulttable.="<td bgcolor='#".($emailok?"c0ffc0":"ffc0c0")."'>$mail</td>";
+
+ if($comm != "")
+ $comment[] = $comm;
+
+ $resulttable.="<td bgcolor='#".($nameok?"c0ffc0":"ffc0c0")."'>".sanitizeHTML($name)."</td>";
+ $resulttable.="<td bgcolor='#".($emailok?"c0ffc0":"ffc0c0")."'>".sanitizeHTML($mail)."</td>";
+
$uidok=0;
if($bits[1]=="r")
{
$rmessage=_("Error: UID is revoked");
}
+ elseif($uidformatwrong==1)
+ {
+ $rmessage=_("The format of the UID was not recognized. Please use 'Name (comment) <email@domain>' ");
+ }
elseif($mail=="" and $name=="")
{
$rmessage=_("Error: Both Name and Email address are empty");
| ||||
| Reviewed by | |||||
| Test Instructions | |||||
| related to | 0000518 | new | Valid E-Mail addresses with specal chars are rejected |
|
|
The regular expressions are also matching spaces and other whitespaces: "Philipp is not an email address! or?" would match /^([^\!]+)\!([^\!]+)$/ but it's clearly not a UUCP address. |
|
|
the regex was only to show the general schema as /^([^\@]+)\@(.+)$/ is not a good regex for 'normal' addresses. The same rules as in 0000518 apply to the address. Maybe the system should reformat it internally to a single schema and check that to reduce the need for a big regex or multiple similar ones. |
|
|
Yesterday I uploaded a OpenPGP key with a normal not UUCP style mail addy with a '=' included. The behavior of the system is the same: it gets accepted without need to verify it before. I believe that the regex problem is the same as in 0000518. |
|
|
The bug has been fixed. Please test and close this report. |
|
|
Closing issues that have been resolved more than one year ago… |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2008-03-14 16:42 | ph3 | New Issue | |
| 2008-10-14 12:07 | Sourcerer | Note Added: 0001233 | |
| 2008-10-14 14:34 | ph3 | Note Added: 0001235 | |
| 2008-10-14 14:36 | ph3 | Relationship added | related to 0000518 |
| 2009-04-07 15:48 | ph3 | Note Added: 0001349 | |
| 2009-04-07 16:55 | Sourcerer | File Added: gpg.patch | |
| 2009-04-09 13:06 | Sourcerer | File Deleted: gpg.patch | |
| 2009-04-09 13:07 | Sourcerer | File Added: gpg.patch | |
| 2009-04-19 23:14 | Sourcerer | Note Added: 0001374 | |
| 2009-04-19 23:14 | Sourcerer | Status | new => solved? |
| 2012-05-30 21:17 | NEOatNHNG | Note Added: 0003041 | |
| 2012-05-30 21:17 | NEOatNHNG | Status | solved? => closed |
| 2013-01-15 02:12 | Werner Dworak | Fixed in Version | => 2009 Q2 |
