Is this create a security hole (or another) problem?

Hoochie Coochie Man · November 01, 2008, 08:28:35 PM

Hey everyone.

In Turkish boards, we have a tip.
This tip is solved "The Turkish letter issue" on hotmail.

Normally, When you send e mail to users, from admin panel.
Turkish letters are not showing.

So when you do this tip.

Sources / Subs-Post.php

Code (find) Select

if (preg_match('~@(yahoo|hotmail)\.[a-zA-Z\.]{2,6}$~i', $to_address) === 1)

Removing 2-6

I mean like this:

Code Select

if (preg_match('~@(yahoo|hotmail)\.[a-zA-Z\.]{}$~i', $to_address) === 1)

Then problem solved. All Turkish letters are appering.

So. Is this create a security hole (or another) problem?

Any help would be great, Thanks.

Oldiesmann · November 01, 2008, 10:00:16 PM

So Hotmail fully supports international characters now?

That change prevents SMF from applying special functionality to email messages being sent to Yahoo or Hotmail email addresses. This functionality was put in place due to previous problems with Yahoo and Hotmail supporting international characters.

Hoochie Coochie Man · November 02, 2008, 05:32:13 AM

Quote from: Oldiesmann on November 01, 2008, 10:00:16 PM
So Hotmail fully supports international characters now?

Yes. so, Is this create a security hole (or another) problem?

[SiNaN] · November 02, 2008, 10:39:38 AM

That will cause that preg_match() not to function properly; always fail. Just prevents hotmail/yahoo fix to get working. It is the same as removing the hotmail fix completely.

Although preg_match() is used to validate the input for security mostly, in this case it is to decide if e-mail provider is hotmail/yahoo international one or not. Nothing related to security.

Hoochie Coochie Man · November 02, 2008, 05:12:16 PM

So, it is safe.
Thanks

Sinan ANDIRMAN · November 02, 2008, 05:15:21 PM

i have solved this problem this topic:
http://www.simplemachines.org/community/index.php?topic=199273.msg1765464#msg1765464

this edit reason XSS attack.because include bad text,i know.

Example karlbenson's AVEAC Mod include pregmatch for this situation.

also i can know wrong this topic.i think karlbenson should look topic

Hoochie Coochie Man · November 02, 2008, 05:35:59 PM

Quote from: Sinan ANDIRMAN on November 02, 2008, 05:15:21 PM
i have solved this problem this topic:
http://www.simplemachines.org/community/index.php?topic=199273.msg1765464#msg1765464

No you didn't.
You said that there is a security hole on this tip, and that's why I open this topic.
I wanted to learn if there is a really security hole.

Sinan ANDIRMAN · November 03, 2008, 06:55:57 AM

For example of video mod:

[mynet]23472947[/mynet] like you intend
or
[mynet]343&badvariable=badbadbadbad[/mynet]
For security reasons (to prevent XSS attack) the variable that is passed should be checked and validated with a preg_match.
This ensures that hackers can't pass bad strings, and is to a good way to check that the variable passed is valid.

This is only example.I make a connection example to this topic

[SiNaN] · November 03, 2008, 07:00:48 AM

That is just one use of it. http://tr2.php.net/preg_match Also you can search the function in google to find some information in your own language. I'm sure it will be better.

Sinan ANDIRMAN · November 03, 2008, 07:06:01 AM

hmmm i thank you for advice major Sinan.and i think karlbenson should look this topic

News:

Is this create a security hole (or another) problem?