cc36444ae63d7ffcc6b88fe8988025fe846b9c1b chinhli Mon Jun 4 16:25:55 2012 -0700 Validate email address format. diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index 929585f..8abfbfb 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -196,30 +196,80 @@ break; case 2 : c = '0' + randInt(10); break; default: c = punc[randInt(8)]; break; } boundary[i] = c; } boundary[i]=0; return cloneString(boundary); } /* ---- General purpose helper routines. ---- */ + +int spc_email_isvalid(const char *address) { +/* Code copied from the book: +"Secure Programming Cookbook for C and C++" +By: John Viega; Matt Messier +Publisher: O'Reilly Media, Inc. +Pub. Date: July 14, 2003 +Print ISBN-13: 978-0-596-00394-4 +*/ +int count = 0; +const char *c, *domain; +static char *rfc822_specials = "()<>@,;:\\\"[]"; + +/* first we validate the name portion (name@domain) */ +for (c = address; *c; c++) + { + if (*c == '\"' && (c == address || *(c - 1) == '.' || *(c - 1) == '\"')) + { + while (*++c) + { + if (*c == '\"') break; + if (*c == '\\' && (*++c == ' ')) continue; + if (*c <= ' ' || *c >= 127) return 0; + } + if (!*c++) return 0; + if (*c == '@') break; + if (*c != '.') return 0; + continue; + } + if (*c == '@') break; + if (*c <= ' ' || *c >= 127) return 0; + if (strchr(rfc822_specials, *c)) return 0; + } +if (c == address || *(c - 1) == '.') return 0; + +/* next we validate the domain portion (name@domain) */ +if (!*(domain = ++c)) return 0; +do { + if (*c == '.') + { + if (c == domain || *(c - 1) == '.') return 0; + count++; + } + if (*c <= ' ' || *c >= 127) return 0; + if (strchr(rfc822_specials, *c)) return 0; +} while (*++c); + +return (count >= 1); +} + void backToHgSession(int nSec) /* delay for N/10 micro seconds then go back to hgSession page */ { char *hgLoginHost = wikiLinkHost(); int delay=nSec*100; hPrintf("<script language=\"JavaScript\">\n" "<!-- \n" "window.setTimeout(afterDelay, %d);\n" "function afterDelay() {\n" "window.location =\"http://%s/cgi-bin/hgSession?hgS_doMainPage=1\";\n}" "\n//-->\n</script>", delay, hgLoginHost); } void backToDoLoginPage(int nSec) /* delay for N micro seconds then go back to Login page */ @@ -840,30 +890,38 @@ errMsg = cloneString("A user with this name already exists."); signupPage(conn); freez(&user); return; } char *email = cartUsualString(cart, "hgLogin_email", ""); if (!email || sameString(email,"")) { freez(&errMsg); errMsg = cloneString("Email cannot be blank."); signupPage(conn); return; } +if (spc_email_isvalid(email) == 0) + { + freez(&errMsg); + errMsg = cloneString("Invalid email address format."); + signupPage(conn); + return; + } + char *email2 = cartUsualString(cart, "hgLogin_email2", ""); if (!email2 || sameString(email2,"")) { freez(&errMsg); errMsg = cloneString("Email cannot be blank."); signupPage(conn); return; } if (email && email2 && !sameString(email, email2)) { freez(&errMsg); errMsg = cloneString("Email addresses do not match."); signupPage(conn); return;