#43402 [Opn]: php_filter_validate_email not RFC2822 compliant

nobody at example dot org Sun, 25 Nov 2007 15:46:18 -0800

 ID:               43402
 User updated by:  nobody at example dot org
 Reported By:      nobody at example dot org
 Status:           Open
 Bug Type:         Filter related
 Operating System: N/A
 PHP Version:      5.2.5
 New Comment:


--TEST--
PMOPB-45-2007:PHP ext/filter Email Validation Vulnerability
--SKIPIF--
<?php if (!extension_loaded("filter")) die("skip"); ?>
--FILE--
<?php
        $var = "[EMAIL PROTECTED]";
        var_dump(filter_var($var, FILTER_VALIDATE_EMAIL));
?>
--EXPECT--      
bool(false)


Previous Comments:
------------------------------------------------------------------------

[2007-11-25 23:42:35] nobody at example dot org

Adding test.

------------------------------------------------------------------------

[2007-11-25 22:22:59] nobody at example dot org

Description:
------------
The regex used in php_filter_validate_email does not permit all valid
atom chars from RFC2822 (eg: ASCII 61, 63). 

Reproduce code:
---------------
<?php

$valid="!#$%&'*+-/=.?^_`{|[EMAIL PROTECTED]";

echo filter_var($valid, FILTER_VALIDATE_EMAIL)? 'Valid': 'Invalid',
"\n";


Expected result:
----------------
Valid

Actual result:
--------------
Invalid


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=43402&edit=1

#43402 [Opn]: php_filter_validate_email not RFC2822 compliant

Reply via email to