From 57e6e33c22c4e5e8390d2e3c766a0888c6c84fc7 Mon Sep 17 00:00:00 2001
From: Radko Krkos <krkos@cesnet.cz>
Date: Fri, 3 Aug 2018 17:01:21 +0200
Subject: [PATCH] Server: Fix requestor e-mail validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* No longer silently accept pattern 'a@b@c', otherwise stay compatibile.
* Valid patterns are: 'user@fqdn', '<user@fqdn>', 'user <user@fqdn>',
  'user surname <user@fqdn>', no Unicode support, multiple e-mails
  separated by comma are allowed.
* Replace email.utils.parseaddr() with extended regular expression.
* Remove import email.utils as no other users exist.

Signed-off-by: Pavel Kácha <ph@cesnet.cz>
---
 warden3/warden_server/warden_server.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 warden3/warden_server/warden_server.py

diff --git a/warden3/warden_server/warden_server.py b/warden3/warden_server/warden_server.py
old mode 100644
new mode 100755
index 5b78c3d..d111eb3
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -14,7 +14,6 @@ import logging
 import logging.handlers
 import json
 import re
-import email.utils
 from traceback import format_tb
 from collections import namedtuple
 from time import sleep
@@ -1466,9 +1465,8 @@ def modify_client(**kwargs):
         return allowed.match(nsid)
 
     def isValidEmail(mail):
-        mails = (email.utils.parseaddr(m) for m in mail.split(","))
-        allowed = re.compile(r"^[a-zA-Z0-9_.%!+-]+@[a-zA-Z0-9-.]+$")  # just basic check
-        valid = (allowed.match(ms[1]) for ms in mails)
+        allowed = re.compile(r"(^[a-zA-Z0-9_ .%!+-]*(?=<.*>))?(^|(<(?=.*(>))))[a-zA-Z0-9_.%!+-]+@[a-zA-Z0-9-.]+\4?$")   # just basic check
+        valid = (allowed.match(ms.strip())for ms in mail.split(','))
         return all(valid)
 
     def isValidID(id):
-- 
GitLab