Skip to content

Commit

Permalink
Merge pull request #16 from privacybydesign/email-rfc-fix
Browse files Browse the repository at this point in the history 
Fix: make sure uppercase characters in addresses are filtered earlier
  • Loading branch information
@synaptic-cleft
synaptic-cleft authored Dec 29, 2021
2 parents 9b7ce63 + 7f46567 commit 70f065d
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
15 changes: 14 additions & 1 deletion src/main/java/foundation/privacybydesign/email/EmailRestApi.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,13 @@ public Response sendEmail(@FormParam("email") String email,

if (lang == null || lang.length() == 0)
lang = EmailConfiguration.getInstance().getDefaultLanguage();

// We only accept lowercase email addresses.
if (!email.equals(email.toLowerCase())) {
logger.error("Address contains uppercase characters: {}", email);
return Response.status(Response.Status.BAD_REQUEST).entity(ERR_ADDRESS_MALFORMED).build();
}

String token = signer.createToken(email);
try {
String url = conf.getServerURL(lang) + "#verify-email/" + token
Expand Down Expand Up @@ -91,6 +98,12 @@ public Response sendEmailToken(@FormParam("email") String emailAddress,
@FormParam("language") String language) {
EmailConfiguration conf = EmailConfiguration.getInstance();

// We only accept lowercase email addresses.
if (!emailAddress.equals(emailAddress.toLowerCase())) {
logger.error("Address contains uppercase characters: {}", emailAddress);
return Response.status(Response.Status.BAD_REQUEST).entity(ERR_ADDRESS_MALFORMED).build();
}

// Test email with signature
String token = signer.createToken(emailAddress);

Expand Down Expand Up @@ -134,7 +147,7 @@ public Response sendEmailToken(@FormParam("email") String emailAddress,
public Response verifyEmailToken(@FormParam("token") String token) throws KeyManagementException {
EmailConfiguration conf = EmailConfiguration.getInstance();

String emailAddress = signer.verifyToken(token).toLowerCase();
String emailAddress = signer.verifyToken(token);
if (emailAddress == null) {
// cannot verify (may be expired or have an invalid signature)
// TODO: inform the user if it's expired vs other errors
Expand Down
2 changes: 1 addition & 1 deletion webapp/common.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ function setWindow(window, back) {
}

function addEmail(e) {
const address = $('#email-form [id=email]').val();
const address = $('#email-form [id=email]').val().toLowerCase();

if ($('#window-email-confirm').hasClass('hidden')) {
$('#email-confirm').text(address);
Expand Down

0 comments on commit 70f065d

Please sign in to comment.