From 8c4a70129847e2a76f7ffcd321ec59f49258a3e4 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Wed, 9 Sep 2015 12:00:11 +0800
Subject: Bug 1202461 - backport bug 319953 to bmo (Missing real email syntax
 check)

---
 Bugzilla/Util.pm | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index f2291a812..d80ab9569 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -704,12 +704,22 @@ sub generate_random_password {
 sub validate_email_syntax {
     my ($addr) = @_;
     my $match = Bugzilla->params->{'emailregexp'};
-    my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/);
-    if ($ret) {
+    my $email = $addr . Bugzilla->params->{'emailsuffix'};
+    # This regexp follows RFC 2822 section 3.4.1.
+    my $addr_spec = $Email::Address::addr_spec;
+    # RFC 2822 section 2.1 specifies that email addresses must
+    # be made of US-ASCII characters only.
+    # Email::Address::addr_spec doesn't enforce this.
+    if ($addr =~ /$match/
+        && $email !~ /\P{ASCII}/
+        && $email =~ /^$addr_spec$/
+        && length($email) <= 127)
+    {
         # We assume these checks to suffice to consider the address untainted.
         trick_taint($_[0]);
+        return 1;
     }
-    return $ret ? 1 : 0;
+    return 0;
 }
 
 sub validate_date {
-- 
cgit v1.2.3-24-g4f1b