Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002282Piwigosecuritypublic2011.04.26 13:422014.09.25 22:26
Assigned To 
PlatformOSOS Version
Product Version2.2.1 
Target VersionFixed in Version 
Summary0002282: Email address containing apostrophe invalid due to magic quotes
DescriptionWhen submitting an email address that contains an ' trough the profile page, the address is rejected because it is considered being wrongly formatted.
This is due to magic quotes changing (apo'strophe@example.com) into (apo\'strophe@example.com).

Steps To ReproduceChange an email address of a user into one containing an '.
TagsNo tags attached.
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships

-  Notes
stim (reporter)
2011.04.26 13:43

(I don't really think it is necessary to allow ' in email addresses, but currently the program is not behaving like the contract (the regexp) says)
jcommelin (reporter)
2011.05.02 21:04

According to RFC 822 it is valid to have an apostrophe in ones email address. Still I think (just like stim) that it is not really necessary to allow them. It brings problems with it like SQL injections and such...
bryanw (reporter)
2014.09.25 22:26

Horrible attitude to take, and unfortunately it is pervasive through the Piwigo code.

Piwigo is attempting to be an internationally useful program. The fr.piwigo.org forums are full of complaints about errors in email and file names where apostrophe and accents are present.

Input sanitation is a basic thing. It is a solved problem. Automatically escaping URLs and email addresses is also a solved problem.

Basically, if my file system allows me to name a file "Robert'); DROP TABLE Students;--" then it should handle it. Observe that Mantis (the bug database) doesn't choke and die on accents and apostrophes.

- Issue History
Date Modified Username Field Change
2011.04.26 13:42 stim New Issue
2011.04.26 13:42 stim browser => any
2011.04.26 13:42 stim Web server => Apache 1.3.x
2011.04.26 13:43 stim Note Added: 0005055
2011.05.02 21:04 jcommelin Note Added: 0005085
2014.09.25 22:26 bryanw Note Added: 0007636

Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker