Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development Issues [Important] Bypass email validation
[Important] Bypass email validation
  • Offline peter
    Junior Member
  • **
  • Posts: 16
    Threads: 5
    Joined: Mar 2015
    Reputation: 0
#1
11-25-2018, 02:43 AM

Hello,

If i simply use this code to check an email in CI :

PHP Code:
$this->form_validation->set_rules('email''email''trim|required|valid_email'); 

I just to need to send a form with this input :

Code:
"><svg/onload=confirm(1)>"@x.y

and I can bypass email validation....

The solution is to fix valid_email from Form_validation.php and add :

PHP Code:
$email filter_var($emailFILTER_SANITIZE_EMAIL); 

You should fix it in CI 3.2 !
Reply
  • Offline jreklund
    Administrator
  • *******
  • Posts: 1,408
    Threads: 3
    Joined: Aug 2017
    Reputation: 43
#2
11-25-2018, 03:37 AM

It's correctly validating it according to RFC 822. It dosen't care about XSS, due to the fact that's an valid email address.
https://en.wikipedia.org/wiki/Email_address#Local-part

Also, ALL security concerns should be sent to:
security@codeigniter.com
Reply




Theme © iAndrew 2016 - Forum software by © MyBB