osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

SECURITY: email domain whitelist could be bypassed

Browse Source
This commit is contained in:
Gerhard Schlager 2018-01-17 21:45:32 +01:00
parent 387bdadbe2
commit 7129e6e4cb
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/validators/email_validator.rb
View File

@ -22,7 +22,7 @@ class EmailValidator < ActiveModel::EachValidator
def self.email_in_restriction_setting?(setting, value)
domains = setting.gsub('.', '\.')
regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
value =~ regexp
end

1
spec/components/validators/email_validator_spec.rb
View File

@ -40,6 +40,7 @@ describe EmailValidator do
expect(blocks?('sam@bob.email.com')).to eq(false)
expect(blocks?('sam@e-mail.com')).to eq(true)
expect(blocks?('sam@googlemail.com')).to eq(false)
expect(blocks?('sam@email.computers.are.evil.com')).to eq(true)
end
end