#10142 Fixed EmailValidator to check email length properly

2025-08-16 15:21:13 +08:00 · 2015-11-14 00:39:12 +02:00
parent 79003d071e
commit bf6b50f58e
4 changed files with 50 additions and 15 deletions
--- a/framework/validators/EmailValidator.php
+++ b/framework/validators/EmailValidator.php
@ -70,19 +70,34 @@ class EmailValidator extends Validator
     */
    protected function validateValue($value)
    {
-        // make sure string length is limited to avoid DOS attacks
-        if (!is_string($value) || strlen($value) >= 320) {
+        if (!is_string($value)) {
            $valid = false;
-        } elseif (!preg_match('/^(.*<?)(.*)@(.*?)(>?)$/', $value, $matches)) {
+        } elseif (!preg_match('/^(?P<name>(?:"?([^"]*)"?\s)?)(?:\s+)?(?:(?P<open><?)((?P<local>.+)@(?P<domain>[^>]+))(?P<close>>?))$/i', $value, $matches)) {
            $valid = false;
        } else {
-            $domain = $matches[3];
            if ($this->enableIDN) {
-                $value = $matches[1] . idn_to_ascii($matches[2]) . '@' . idn_to_ascii($domain) . $matches[4];
+                $matches['local'] = idn_to_ascii($matches['local']);
+                $matches['domain'] = idn_to_ascii($matches['domain']);
+                $value = $matches['name'] . $matches['open'] . $matches['local'] . '@' . $matches['domain'] . $matches['close'];
            }
-            $valid = preg_match($this->pattern, $value) || $this->allowName && preg_match($this->fullPattern, $value);
-            if ($valid && $this->checkDNS) {
-                $valid = checkdnsrr($domain, 'MX') || checkdnsrr($domain, 'A');
+
+            if (strlen($matches['local']) > 64 || mb_strlen($matches['name']) > 64) {
+                // The maximum total length of a user name or other local-part is 64 octets. RFC 5322 section 4.5.3.1.1
+                // http://tools.ietf.org/html/rfc5321#section-4.5.3.1.1
+                $valid = false;
+            } elseif (strlen($matches['local'] . '@' . $matches['domain']) > 254) {
+                // There is a restriction in RFC 2821 on the length of an address in MAIL and RCPT commands
+                // of 254 characters. Since addresses that do not fit in those fields are not normally useful, the
+                // upper limit on address lengths should normally be considered to be 254.
+                //
+                // Dominic Sayers, RFC 3696 erratum 1690
+                // http://www.rfc-editor.org/errata_search.php?eid=1690
+                $valid = false;
+            } else {
+                $valid = preg_match($this->pattern, $value) || $this->allowName && preg_match($this->fullPattern, $value);
+                if ($valid && $this->checkDNS) {
+                    $valid = checkdnsrr($matches['domain'], 'MX') || checkdnsrr($matches['domain'], 'A');
+                }
            }
        }

@ -101,7 +116,7 @@ class EmailValidator extends Validator
            'message' => Yii::$app->getI18n()->format($this->message, [
                'attribute' => $model->getAttributeLabel($attribute),
            ], Yii::$app->language),
-            'enableIDN' => (bool) $this->enableIDN,
+            'enableIDN' => (bool)$this->enableIDN,
        ];
        if ($this->skipOnEmpty) {
            $options['skipOnEmpty'] = 1;