Igor, and many others who commented on the fact that many characters are legal in email are correct. However, with the exception of '-' and '+', I'm not sure if I'll be changing the body of the guidelines. My issue is that dealing with a wide variety of characters that are legitamate, such as "cat ../../../etc/passwd"@foo.com is more dangerous than only accepting the common case of user@host.net. The number of addresses such as harvard!adam is dropping as the number of 'normal' addresses grows. Igor Chudov @ home wrote: | Adam Shostack wrote: | > http://www.homeport.org/~adam/review.html | In part " V.Code (Security Issues)/3.Data Checking" you say the following: | | `` Data coming in to Acme Widgets should be checked very carefully for | appropriateness. This check should be to see if the data is what | is expected (length, characters). Making a list of bad | characters is not the way to go; the lists are rarely complete. | A secure program should know what it expects, and reject other | input. (For example, if you are looking for an email address, | don't check to see if it contains a semi-colon or a newline, | check to see if it contains anything other than a [A-Za-z0-9._] | followed by an @, followed by a hostname [A-Za-z0-9._].)'' | END QUOTE | | That is not entirely correct. An email address is much more than | that, it can contain "!", several "@" characters (not next to each other | though), "%", and so on. x400 mail addresses (?) can contain "/", "=", | and all emails can have "+" and "-" and "_" in them. | | Some of the valid email addresses are | | user_name@company.com | alex+@pitt.edu | mi%aldan.UUCP@algebra.com | user%host.domain@anon.penet.fi | host1!host2!user | | Look at your sendmail.cf file for a humongous amount of | email parsing rules. | | Thanks for an excellent document though, I put a link to it from my | intranet page. You're welcome. | - Igor "Code Obscurity Creates Job Security" Chudov. | Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume