mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 20:33:49 +08:00
SECURITY: email domain whitelist could be bypassed
This commit is contained in:
parent
b9bc27e539
commit
0ee2c2363b
|
@ -22,7 +22,7 @@ class EmailValidator < ActiveModel::EachValidator
|
|||
|
||||
def self.email_in_restriction_setting?(setting, value)
|
||||
domains = setting.gsub('.', '\.')
|
||||
regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
|
||||
regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
|
||||
value =~ regexp
|
||||
end
|
||||
|
||||
|
|
|
@ -40,6 +40,7 @@ describe EmailValidator do
|
|||
expect(blocks?('sam@bob.email.com')).to eq(false)
|
||||
expect(blocks?('sam@e-mail.com')).to eq(true)
|
||||
expect(blocks?('sam@googlemail.com')).to eq(false)
|
||||
expect(blocks?('sam@email.computers.are.evil.com')).to eq(true)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user