SECURITY: email domain whitelist could be bypassed

This commit is contained in:
Gerhard Schlager 2018-01-17 21:45:32 +01:00
parent b9bc27e539
commit 0ee2c2363b
2 changed files with 2 additions and 1 deletions

View File

@ -22,7 +22,7 @@ class EmailValidator < ActiveModel::EachValidator
def self.email_in_restriction_setting?(setting, value)
domains = setting.gsub('.', '\.')
regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
value =~ regexp
end

View File

@ -40,6 +40,7 @@ describe EmailValidator do
expect(blocks?('sam@bob.email.com')).to eq(false)
expect(blocks?('sam@e-mail.com')).to eq(true)
expect(blocks?('sam@googlemail.com')).to eq(false)
expect(blocks?('sam@email.computers.are.evil.com')).to eq(true)
end
end