vaadin / framework

Vaadin 6, 7, 8 is a Java framework for modern Java web applications.
http://vaadin.com/
Other
1.78k stars 729 forks source link

EmailValidator catastrophic exponential-time regular expression #7757

Closed vaadin-bot closed 4 years ago

vaadin-bot commented 8 years ago

Originally by jtomaszk


Class com.vaadin.data.validator.EmailValidator is using unsafe validation regex

"^([a-zA-Z0-9_\\.\\-+])+@(([a-zA-Z0-9-])+\\.)+([a-zA-Z0-9]{2,4})+$"

example of potential malicious input that validation never ends:

a@a.m5qRt8zLxQG4mMeu9yKZm5qRt8zLxQG4mMeu9yKZm5qRt8zLxQG4mMeu9yKZ&

related info [http://www.regular-expressions.info/catastrophic.html]


Imported from https://dev.vaadin.com/ issue #20065

fante76 commented 7 years ago

Current implementation on Vaadin8, gives validation error if value is an empty string, because it only test null value.

cristian-aimi commented 7 years ago

this second bug notificated by fante76 it's more serious because blocks the form tha has an EmailValidator inside. Would be better to fix the problem first as possible.

stale[bot] commented 6 years ago

Hello there!

It looks like this issue hasn't progressed lately. There are so many issues that we just can't deal them all within a reasonable timeframe.

There are a couple of things you could help to get things rolling on this issue (this is an automated message, so expect that some of these are already in use):

Thanks again for your contributions! Even though we haven't been able to get this issue fixed, we hope you to report your findings and enhancement ideas in the future too!

stale[bot] commented 4 years ago

The issue was automatically closed due to inactivity. If you found some new details to it or started working on it, comment on the issue so that maintainers can re-open it.

TatuLund commented 4 years ago

For some reason this ticket has been left open although it has been addressed in Vaadin version 8 newer frameworks. The regexp pattern has been update to https://github.com/vaadin/framework/blob/bafab4554a43f7c0214e919fa9d594a92305bc92/server/src/main/java/com/vaadin/data/validator/EmailValidator.java#L29

I verified that problem with the given test pattern does not occur anymore.