This bugtracker is kept to provide history on old issues.
|Anonymous | Login | Signup for a new account||2019.09.18 12:52 CEST|
|My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002282||Piwigo||security||public||2011.04.26 13:42||2014.09.25 22:26|
|Target Version||Fixed in Version|
|Summary||0002282: Email address containing apostrophe invalid due to magic quotes|
|Description||When submitting an email address that contains an ' trough the profile page, the address is rejected because it is considered being wrongly formatted.|
This is due to magic quotes changing (email@example.com) into (apo\'firstname.lastname@example.org).
|Steps To Reproduce||Change an email address of a user into one containing an '.|
|Tags||No tags attached.|
|Database engine and version|
|Web server||Apache 1.3.x|
|(I don't really think it is necessary to allow ' in email addresses, but currently the program is not behaving like the contract (the regexp) says)|
|According to RFC 822 it is valid to have an apostrophe in ones email address. Still I think (just like stim) that it is not really necessary to allow them. It brings problems with it like SQL injections and such...|
Horrible attitude to take, and unfortunately it is pervasive through the Piwigo code.
Piwigo is attempting to be an internationally useful program. The fr.piwigo.org forums are full of complaints about errors in email and file names where apostrophe and accents are present.
Input sanitation is a basic thing. It is a solved problem. Automatically escaping URLs and email addresses is also a solved problem.
Basically, if my file system allows me to name a file "Robert'); DROP TABLE Students;--" then it should handle it. Observe that Mantis (the bug database) doesn't choke and die on accents and apostrophes.
|2011.04.26 13:42||stim||New Issue|
|2011.04.26 13:42||stim||browser||=> any|
|2011.04.26 13:42||stim||Web server||=> Apache 1.3.x|
|2011.04.26 13:43||stim||Note Added: 0005055|
|2011.05.02 21:04||jcommelin||Note Added: 0005085|
|2014.09.25 22:26||bryanw||Note Added: 0007636|
|Copyright © 2000 - 2019 MantisBT Team Contact|