fix: quoted email addresses and status responses #10980
Conversation
Signed-off-by: SebastianKrupinski <[email protected]>
SebastianKrupinski
requested review from
ChristophWurst,
kesselb and
GretaD
as code owners
| public function testNormalizeEmailWithExtraSpaces() { | ||
| $email = ' [email protected] '; | ||
| $normalizedEmail = $this->invokePrivate($this->controller, 'normalizeEmail', [$email]); | ||
| $this->assertEquals('[email protected]', $normalizedEmail); | ||
| } | ||
|
|
||
| public function testNormalizeEmailWithSingleQuotes() { | ||
| $email = "'[email protected]'"; | ||
| $normalizedEmail = $this->invokePrivate($this->controller, 'normalizeEmail', [$email]); | ||
| $this->assertEquals('[email protected]', $normalizedEmail); | ||
| } |
There was a problem hiding this comment.
You could use a data provider here.
public static function normalizeEmailDataProvider(): array {
return [
// [input, expected]
[' [email protected] ', '[email protected]'],
["'[email protected]'", '[email protected]'],
// Add more tests at your discretion ...
];
}
/**
* @dataProvider normalizeEmailDataProvider
*/
public function testNormalizeEmail(string $email, string $expected): void {
$normalizedEmail = $this->invokePrivate($this->controller, 'normalizeEmail', [$email]);
$this->assertEquals($expected, $normalizedEmail);
}There was a problem hiding this comment.
Sure. Done
Signed-off-by: SebastianKrupinski <[email protected]>
|
Having a Seeing requests like
I find the avatar endpoint the wrong place to normalize email addresses. That email address is already broken, and it just explodes over there. Unless there's another explanation of those requests, I would prefer to change the AutoComplete controller and run all emails/contacts through filter_var to not suggests contacts with invalid email addresses. |
Its happening on received emails, I'll share the ticket with you internally |
|
Thanks, I reviewed the support ticket yesterday before replying here. I had a hunch about who created it because I worked on a similar case for them a while ago.
|
I've seen this in the past some desktop clients, smtp server and online service wrap the email addresses in quotes. I can reproduce the issue in but modifying a email any manually uploading it. THIS IS NOT a issue with our front end.
There is nothing wrong with normalizing input for things like letter cases and spaces, you are just confirming that he input is in a proper format, especially when you need to match an existing item.
If you look at the logs that the client sent, you can see 14 failures in 1 second. |
|
Hi, As mentioned earlier, I reviewed the support ticket and the provided logs.
I was able to reproduce the problem with a broken contact, which led me to wonder: how do you determine from the customer's data that their issue is triggered by an incoming email rather than a malformed contact in the address book?
Did you modify an email by adding quotes around the "From" header, like this:
I'm not opposed to normalizing the input, but we should do it correctly. As mentioned before, the avatar endpoint is where the issue becomes apparent. I assume most of our code expects the email address to be syntactically valid. For example, if we reply to an email with a quoted "From" header, the remote server might reject it due to an invalid format. If we want to support such email formats, we should normalize them much earlier. Otherwise, we'll need to apply this normalization in many more places. |
Resolves
Client ticket - No avatar 400 responses trigger security IP bans
Summary