* Fixed bug #15887: XSS in template analyzer (thanks to Georg Ringer)
* Fixed bug #15728: Extension Manager allows to download arbitrary files beyond PATH_site or rootpath (thanks to Marcus Krause)
* Fixed bug #15729: Sysext setup's user simulation is susceptible to XSS (thanks to Marcus Krause)
+ * Fixed bug #15860: Mitigate libpcre recursion crash in email address validation (thanks to Marcus Krause)
2010-10-05 Steffen Gebert <steffen@steffen-gebert.de>
* @return boolean Returns true if the $email address (input string) is valid
*/
public static function validEmail($email) {
- return (filter_var($email, FILTER_VALIDATE_EMAIL) !== false);
+ // enforce maximum length to prevent libpcre recursion crash bug #52929 in PHP
+ // fixed in PHP 5.2+ later than Sept 2010; length restriction per SMTP RFC 2821
+ if (strlen($email) > 320) {
+ return FALSE;
+ }
+ return (filter_var($email, FILTER_VALIDATE_EMAIL) !== FALSE);
}
/**