Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/mail: mail.ParseAddress() allows invalid characters in local-part and domain-literal #59039

Closed
lpar opened this issue Mar 14, 2023 · 3 comments
Closed

net/mail: mail.ParseAddress() allows invalid characters in local-part and domain-literal #59039

lpar opened this issue Mar 14, 2023 · 3 comments
Labels
FrozenDueToAge

Comments

@lpar
Copy link

lpar commented Mar 14, 2023

What version of Go are you using (go version)?

$ go version
go version go1.20.1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Fedora release 37 (Thirty Seven)

$ go env
GOARCH="amd64"
GOOS="linux"

What did you do?

https://go.dev/play/p/SWpZqP2Xxed

What did you expect to see?

An error.

Per RFC5322:

addr-spec       =   local-part "@" domain
local-part      =   dot-atom / quoted-string / obs-local-part
dot-atom        =   [CFWS] dot-atom-text [CFWS]
dot-atom-text   =   1*atext *("." 1*atext)
atext           = (Defined set of printable US-ASCII characters not including specials, see section 3.2.3)

So as I'm reading it the local-part is a single dot-atom-text (optionally with comments and folding whitespace around it but not inside it), dot-atom-text is a run of (atext or dot), and atext can only contain a defined set of printable ASCII characters.

Similarly, domain-literal doesn't seem to allow Unicode inside it either.

What did you see instead?

An invalid email address was parsed as valid.
@ConradIrwin
Copy link
Contributor

RFC 6532 updated the definition of a-text to include all multibyte characters (aka "UTF8-non-ascii") (https://www.rfc-editor.org/rfc/rfc6532#section-3.2) and they specifically call out that domains are included. (I updated go to support this here: https://go-review.googlesource.com/c/go/+/19687).

I do get that the domain you specify is (probably?) not allowed to be registered due to the unicode whitespace character (exaµple.com would be totally valid); but I don't think this is the right level of abstraction for the mail package to care about.

@lpar
Copy link
Author

lpar commented Mar 14, 2023

Yikes, so email addresses can now have whitespace in? Boy do I have opinions about that. Still, behavior is as per RFCs, so sorry for the bogus bug report.

@lpar lpar closed this as completed Mar 14, 2023
@ConradIrwin
Copy link
Contributor

Haha, I know right... You can always run them through a regex (but easier is to just do an MX query on the domain).

@golang golang locked and limited conversation to collaborators Mar 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ConradIrwin @lpar @gopherbot