search

egulias / EmailValidator

PHP Email address validator
MIT License
11.44k stars 210 forks source link

Option for Spoofchecker #46

Closed masakielastic closed 8 years ago

masakielastic commented 9 years ago

Sorry for no-replying previous issue. How about adding options for using intl's Spoofchecker (uspoof.h) to prevent IDN homograph attack?

Gmail require Unicode Highly Restricted restriction level for that purpose (Protecting Gmail in a global world). Highly Restricted restricion level can be used since ICU 51 and later. ICU version can be checked by INTL_ICU_VERSION or INTL_ICU_DATA_VERSION These constants can be used PHP 5.3.7 and later. Here is sample code. 

if (version_compare(INTL_ICU_VERSION, '51.0', '>=')) {
    exit('You need ICU 51 and later');
}

$spoof = new Spoofchecker;
$spoof->setChecks(Spoofchecker::SINGLE_SCRIPT);

// Cyrillic
$str = 'Кириллица';
// Latin + Han + Hiragana + Katakana
$str2 = "latin".漢字"."ひらがな"."カタカナ";
// Latin + Han + Hangul
$str3 = "latin"."漢字"."조선말";
// Latin + Han + Bopomofo
$str4 = "latin"."漢字"."ㄅㄆㄇㄈ";

var_dump(
    false === $spoof->isSuspicious($str),
    false === $spoof->isSuspicious($str2),
    false === $spoof->isSuspicious($str3),
    false === $spoof->isSuspicious($str4),
    true === $spoof->isSuspicious($str.$str2)
);

You can also use locale-based restrictions.

$spoof = new Spoofchecker;

// Latin + Han + Hiragana + Katakana
$spoof->setAllowedLocales('en_US,ja_JP');
var_dump(
    false === $spoof->isSuspicious('latin'.'漢字'.'ひらがな'.'カタカナ')
);

// Latin + Han + Hangul
$spoof->setAllowedLocales('en_US,ko_KR');
var_dump(
    false === $spoof->isSuspicious('latin'.'漢字'.'조선말')
);

// Latin + Han + Bopomofo
$spoof->setAllowedLocales('en_US,zh_TW');
var_dump(
    false === $spoof->isSuspicious('latin'.'漢字'.'ㄅㄆㄇㄈ')
);

Mozilla discusses using Moderately Restrictive profile (IDN Display Algorithm). Unfortunately, intl module doesnt't provide method (calling uspoof_setRestrictionLevel) and constants (ASCII, SINGLE_SCRIPT_RESTRICTIVE, HIGHLY_RESTRICTIVE, MODERATELY_RESTRICTIVE, MINIMALLY_RESTRICTIVE, UNRESTRICTIVE) for changing restriction level. I am going to create feature request for adding the method to intl module. Here is my test for intl module adding setRestrictionLevel method and constants.

egulias commented 9 years ago

Hi @masakielastic ! Thanks again for your comments. I'll check it in depth and see when to add it, since we can add the check before even parsing the email.

egulias commented 8 years ago

Closed by #100