SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003427: SMTP Whitelist Input validation is not working correctly - MantisBT
MantisBT - Endian Firewall
View Issue Details
0003427Endian FirewallProxy SMTPpublic2011-01-12 11:032011-02-02 13:47
baldy 
peter-endian 
normalminoralways
confirmedopen 
2.4 
 
0003427: SMTP Whitelist Input validation is not working correctly
Input validation is not validating correctly.

When adding strange emailaddress like 0001941##616764@bounce.yzmail.nl">bounce+hema#0001941##616764@bounce.yzmail.nl
The address is rejected as invalid.

All symbols in the local part of the address are allowed per RFC5322.
Snippet from wikipedia

The local-part of the email address may use any of these ASCII characters:

Uppercase and lowercase English letters (a–z, A–Z)
Digits 0 to 9
Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
Character . (dot, period, full stop) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com).
No tags attached.
Issue History
2011-01-12 11:03baldyNew Issue
2011-01-12 12:45baldyNote Added: 0005470
2011-01-12 12:46baldyNote Added: 0005471
2011-01-12 12:47baldyNote Edited: 0005471
2011-01-13 14:43baldyNote Added: 0005475
2011-01-13 21:17baldyNote Edited: 0005475
2011-01-13 23:39baldyNote Edited: 0005475
2011-01-19 08:47lorenzo-endianNote Added: 0005505
2011-01-19 08:47lorenzo-endianAssigned To => lorenzo-endian
2011-01-19 08:47lorenzo-endianStatusnew => confirmed
2011-01-19 16:21baldyNote Added: 0005508
2011-02-02 13:47lorenzo-endianCustomer Occurencies => 0
2011-02-02 13:47lorenzo-endianAssigned Tolorenzo-endian => peter-endian

Notes
(0005470)
baldy   
2011-01-12 12:45   
The address : mailbot-bh-act=314119155_si=314101096_sub=3111@m14.mailplus.nl is also rejected.

Regards,

Baldy
(0005471)
baldy   
2011-01-12 12:46   
(edited on: 2011-01-12 12:47)
The correct address in the OP is : bounce+hema#0001941##616764@bounce.yzmail.nl.

Looks like something went wrong with the copy/paste.

Regards,

Baldy

(0005475)
baldy   
2011-01-13 14:43   
(edited on: 2011-01-13 23:39)
Did some testing, special characters which should be allowed are not.

When adding an emailaddress containing ! # $ % & ' * + / = ? ^ ` { | } ~ validation fails.

The only 2 special characters correctly validated are - (minus) and _ (underscore)

Happens on all fields in the SMTP Proxy->Black & Whitelists where you can enter an emailaddress.

Regards,

Baldy

(0005505)
lorenzo-endian   
2011-01-19 08:47   
Hi baldy,

you are right, the address is not accepted! BTW, checking the email addresses against the RFC 5322 is strictly impossible due to the fact that the definition is simply too complicated (for a quick reference, http://stackoverflow.com/questions/201323/what-is-the-best-regular-expression-for-validating-email-addresses [^]).

In any case I confirm this issue so that it will be checked by our development team in order to improve the email addresses validation, if it is possible.

In any case, thanks a lot for reporting this issue!

Have a nice day

Lorenzo
(0005508)
baldy   
2011-01-19 16:21   
Hi Lorenzo,

More and more newsletters are using # in the address in my experience.
The + sign is used for sorting mail.

Maybe this link is useful for the development team, http://code.google.com/p/isemail/source/browse/PHP/beta/is_email.php [^]

Regards,

Baldy