Security by ignoring RFCs



  • from    PJH
    to    customerservice@firstsave.co.uk,
    date    17 Jan 2008 13:29:58 -0000
    subject    Error in online application process.

       
    I'd like to complain that your online application process refuses to accept an address with a + in the part before the @ sign, claiming the address to be 'invalid'

    from    customerservice@firstsave.co.uk
    to   
    PJH,
    date    Jan 17, 2008 4:06 PM
    subject    FirstSave


    Dear PJH

    Thank you for your email of 17th January 2008 our online application process

    I can confirm that for the security of our accounts we are only able to accept standardised e-mail address that do not include any special characters. However, we do apologise for any inconvenience caused by this.

    from    PJH
    to    customerservice@firstsave.co.uk
    date    Jan 17, 2008 4:19 PM
    subject    Re: FirstSave

    May I enquire as to what 'security' is enabled by not allowing valid characters in email addresses?  I can conceive of no reasonable reason for this. For example the + character is used by Google Mail to allow its users to filter email based on the local part of the email address used?

    Furthermore, may I suggest you refer whoever came up with this brain-dead idea to RFC 2822 (http://tools.ietf.org/html/rfc2822)?

    I don't expect a reply to this last one.

     
    Twats. 

     

     



  • Maybe you should have also said them that the RFC is the standard as nothing now implies so unless they already know.



  • I've been fighting this battle for years now... people writing "validation" regex for "email" addresses who haven't seen RFC[2]822, and ignoring the standard ways of doing this.  Of course, we have other people who copy those people, so it's really becoming this bad virus of what "email" addresses are.  Most of the time, these regex would reject my test address <fred&barney@stonehenge.com>, which has been in place for about a dozen years now. (Go ahead, try it... it's an autoresponder.)  There is no inherent insecurity in accepting '822.  It just means you coded bad somewhere else.  Never let an email address near an unescaped SQL parameter or shell command line!  It's not hard, people!



  • @PJH said:

    May I enquire as to what 'security' is enabled by not allowing valid characters in email addresses?
    Their financial security since they are able to sell lists of email addresses to spammers.



  • Hey - try my new email address:

     me'; drop database--@gmail.com
     



  • When a feature is poorly implemented, one can say that it is crippled for "security reasons".



  • @m0ffx said:

    @PJH said:
    May I enquire as to what 'security' is enabled by not allowing valid characters in email addresses?
    Their financial security since they are able to sell lists of email addresses to spammers.
    Didn't work with me; I just used a sneakemail address instead.



  • @realmerlyn said:

    I've been fighting this battle for years now... people writing "validation" regex for "email" addresses who haven't seen RFC[2]822, and ignoring the standard ways of doing this.  Of course, we have other people who copy those people, so it's really becoming this bad virus of what "email" addresses are.  Most of the time, these regex would reject my test address <fred&barney@stonehenge.com>, which has been in place for about a dozen years now. (Go ahead, try it... it's an autoresponder.)  There is no inherent insecurity in accepting '822.  It just means you coded bad somewhere else.  Never let an email address near an unescaped SQL parameter or shell command line!  It's not hard, people!

    Oh, for grins, google for:  site:regexlib.com "wrong wrong wrong"

    You'll see all the times I've been fighting this in a place intending to exchange regular expressions for things. 



  • You really could have just replied saying that foo+bar@wtf.com is a "standardized" email address with no "special" characters, and referred them to the RFC.  Politeness (or sarcasm misinterpreted as politeness) generally has a better chance of success. 

     As further reference (since this is a UK site), you could point them to any of the multiple US-based sites that only accept a "standardized" email address with only one dot in the domain name (or even more fun, the ones that will only accept .com .net or .org).  They're out there, but I don't recall seeing one any time recently.



  • The real WTF is that the first google hit for "email regex" is this douche:

     

    His (non-compliant, terribly restrictive) regex works for him on his shitty little site, it must be good enough for everyone!

     



  • I'm happy when sites at least accept a dot in the pre-@ part of the email address.  It shouldn't really surprise anybody that these rare characters aren't accepted by a lot of sites.  Perhaps the real WTF is that the RFC allows them in the first place.



  • @merreborn said:

    The real WTF is that the first google hit for "email regex" is this douche:

    http://www.regular-expressions.info/email.html

     

    His (non-compliant, terribly restrictive) regex works for him on his shitty little site, it must be good enough for everyone!


    He even goes as far as to mention the correct way of doing it in a regexp and then immediately dismisses it. The cube is perfectly fine for checking an email which should only be done when the user signs up and when the user changes their email.



  • @Latexxx said:

    Maybe you should have also said them that the RFC is the standard as nothing now implies so unless they already know.

     

    Huh?



  • @bighusker said:

    @Latexxx said:

    Maybe you should have also said them that the RFC is the standard as nothing now implies so unless they already know.

     

    Huh?

    This is what happens when you don't speak English and use some random translation service to translate to a few languages in turn.



  • @Lingerance said:

    @bighusker said:

    @Latexxx said:

    Maybe you should have also said them that the RFC is the standard as nothing now implies so unless they already know.

     

    Huh?

    This is what happens when you don't speak English and use some random translation service to translate to a few languages in turn.

    I'm relieved that I'm not the only one who didn't understand Latexxx. I thought I was lacking English classes. 



  • @Lingerance said:

    @merreborn said:

    The real WTF is that the first google hit for "email regex" is this douche:

    http://www.regular-expressions.info/email.html

     

    His (non-compliant, terribly restrictive) regex works for him on his shitty little site, it must be good enough for everyone!


    He even goes as far as to mention the correct way of doing it in a regexp and then immediately dismisses it. The cube is perfectly fine for checking an email which should only be done when the user signs up and when the user changes their email.

    My favorite part is how he suggests expanding the regex to check for specific TLDs because the standard one will allow domains with invalid TLDs like "asdf.asdf" or "aol.com.nospam". Too bad it'll still accept stuff like "fuyasermnslkvjyilausrasdflkjatas.com" (assuming said domain does not actually exist).

    Seems he's never heard of the technique of taking the hostname from an email address and doing a [b]DNS lookup[/b] to see if it exists - yes, a plain DNS lookup; contrary to what you might think, MX records [b]are not required[/b] for mail delivery, though some non-compliant mail servers such as Exchange still require it (as an amusing aside, when I lost the MX record on my own domain, ALL spam to it immediately ceased, while most normal mail kept working; once I readded the MX record, the spam started up again). Sure, it's a little bit slower, but it's a hell of a lot simpler than trying to keep one's site up to date with every new TLD that gets added.



  • @Quietust said:

    Seems he's never heard of the technique of taking the hostname from an email address and doing a [b]DNS lookup[/b] to see if it exists - yes, a plain DNS lookup;
    Is it legal to do that these days?

    http://www.channelregister.co.uk/2008/01/17/anti_spam_activist_lawsuit/

    http://yro.slashdot.org/article.pl?sid=08/01/17/0417209

    </hyperbole>



  • @merreborn said:

    The real WTF is that the first google hit for "email regex" is this douche:

    http://www.regular-expressions.info/email.html

    His (non-compliant, terribly restrictive) regex works for him on his shitty little site, it must be good enough for everyone!

     Oh yeah... I've written that guy to try to get him to change his site.  He laughs at me, I guess.  So I laugh in his general direction in return. 



  • @PJH said:

    @Quietust said:

    Seems he's never heard of the technique of taking the hostname from an email address and doing a [b]DNS lookup[/b] to see if it exists - yes, a plain DNS lookup;
    Is it legal to do that these days?

    http://www.channelregister.co.uk/2008/01/17/anti_spam_activist_lawsuit/

    http://yro.slashdot.org/article.pl?sid=08/01/17/0417209

    </hyperbole>

    Scary, but I believe that's a bit different - he was doing a zone transfer, requesting bulk amounts of information. All I suggested was doing a plain DNS 'A' lookup - anybody suggesting that those are illegal would have to be a complete idiot, as it is akin to looking up somebody's number in a public phone book.



  • @GettinSadda said:

    Hey - try my new email address:

     me'; drop database--@gmail.com
     

    Gmail's servers say you don't exist.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.