SECURITY: email domain whitelist could be bypassed

2018-01-17 21:45:32 +01:00 · 2018-01-17 21:45:32 +01:00 · 2a22b90538
parent 34ed6088b9
commit 2a22b90538
2 changed files with 2 additions and 1 deletions
--- a/lib/validators/email_validator.rb
+++ b/lib/validators/email_validator.rb
@ -22,7 +22,7 @@ class EmailValidator < ActiveModel::EachValidator
  def self.email_in_restriction_setting?(setting, value)
    domains = setting.gsub('.', '\.')
-    regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
+    regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
    value =~ regexp
  end
--- a/spec/components/validators/email_validator_spec.rb
+++ b/spec/components/validators/email_validator_spec.rb
@ -40,6 +40,7 @@ describe EmailValidator do
      expect(blocks?('sam@bob.email.com')).to eq(false)
      expect(blocks?('sam@e-mail.com')).to eq(true)
      expect(blocks?('sam@googlemail.com')).to eq(false)
      expect(blocks?('sam@email.computers.are.evil.com')).to eq(true)
    end
  end