• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Important] Bypass email validation

#1
Hello,

If i simply use this code to check an email in CI :

PHP Code:
$this->form_validation->set_rules('email''email''trim|required|valid_email'); 

I just to need to send a form with this input :

Code:
"><svg/onload=confirm(1)>"@x.y

and I can bypass email validation....

The solution is to fix valid_email from Form_validation.php and add :

PHP Code:
$email filter_var($emailFILTER_SANITIZE_EMAIL); 

You should fix it in CI 3.2 !
Reply

#2
It's correctly validating it according to RFC 822. It dosen't care about XSS, due to the fact that's an valid email address.
https://en.wikipedia.org/wiki/Email_address#Local-part

Also, ALL security concerns should be sent to:
security@codeigniter.com
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.