From 0ee2c2363b26de8df924fe699966f7acb2c7dc53 Mon Sep 17 00:00:00 2001
From: Gerhard Schlager <mail@gerhard-schlager.at>
Date: Wed, 17 Jan 2018 21:45:32 +0100
Subject: [PATCH] SECURITY: email domain whitelist could be bypassed

---
 lib/validators/email_validator.rb                  | 2 +-
 spec/components/validators/email_validator_spec.rb | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/validators/email_validator.rb b/lib/validators/email_validator.rb
index 64463d53cb3..624ee071c88 100644
--- a/lib/validators/email_validator.rb
+++ b/lib/validators/email_validator.rb
@@ -22,7 +22,7 @@ class EmailValidator < ActiveModel::EachValidator
 
   def self.email_in_restriction_setting?(setting, value)
     domains = setting.gsub('.', '\.')
-    regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
+    regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
     value =~ regexp
   end
 
diff --git a/spec/components/validators/email_validator_spec.rb b/spec/components/validators/email_validator_spec.rb
index 42ff521375d..36a4202d62b 100644
--- a/spec/components/validators/email_validator_spec.rb
+++ b/spec/components/validators/email_validator_spec.rb
@@ -40,6 +40,7 @@ describe EmailValidator do
       expect(blocks?('sam@bob.email.com')).to eq(false)
       expect(blocks?('sam@e-mail.com')).to eq(true)
       expect(blocks?('sam@googlemail.com')).to eq(false)
+      expect(blocks?('sam@email.computers.are.evil.com')).to eq(true)
     end
   end