Issues

ZF-12157: Zend_Validate_EmailAddress returns INVALID_SEGMENT when the address is routable

Description

ESPN.com has public routable MX servers that sit on a network segment beginning with 192, but not in a class C reserved range. The _isReserved check has a couple of bugs that prevent proper validation.

A test case


$validator = new Zend_Validate_EmailAddress();
$validator->setOptions(array(
    'allow' => Zend_Validate_Hostname::ALLOW_DNS,
    'mx'    => true,
    'deep'  => true
));
Zend_Debug::dump($validator->isValid('test@espn.com'));

Some debug data: {panel} dig espn.com MX

; <<>> DiG 9.7.1-P2 <<>> espn.com MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17090 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION: ;espn.com. IN MX

;; ANSWER SECTION: espn.com. 374 IN MX 10 mx005.espn.com. espn.com. 374 IN MX 10 mx006.espn.com. espn.com. 374 IN MX 10 mx002.espn.com. espn.com. 374 IN MX 10 mx003.espn.com. espn.com. 374 IN MX 10 mx004.espn.com.

;; ADDITIONAL SECTION: mx005.espn.com. 227 IN A 192.234.2.158 mx006.espn.com. 205 IN A 192.234.2.159 mx002.espn.com. 228 IN A 192.234.2.155 mx003.espn.com. 205 IN A 192.234.2.156 mx004.espn.com. 169 IN A 192.234.2.157 {panel}

Lines 365 and 366 of Zend_Validate_EmailAddress->_isReserved have typecasts to integer that make the subsequent checks as type array on lines 370 and 371 fail. Removing the int casts makes the comparison work properly.

Moreover, the entire check is conceptually incorrect since a range outside of what is in _invalidIp is fundamentally valid. Rather than checking if it is outside of the address range in each _invalidIp and returning false, it should probably check if it is inside the range and return true on line 372, and then return false by default on line 377.

Comments

No comments to display