From 6dbe4531a1ffa3a63b90b85372f04b9e02be0b34 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Sun, 1 Nov 2020 00:35:06 +0100
Subject: [PATCH] misc: add more checks on email address localpart (#48133)

---
 src/authentic2/validators.py |  6 +++++-
 tests/test_validators.py     | 16 ++++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/authentic2/validators.py b/src/authentic2/validators.py
index 0506a7bb..c43da817 100644
--- a/src/authentic2/validators.py
+++ b/src/authentic2/validators.py
@@ -16,9 +16,9 @@
 
 from __future__ import unicode_literals
 
+import re
 import smtplib
 
-import django
 from django.utils.deconstruct import deconstructible
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ValidationError
@@ -80,10 +80,14 @@ class EmailValidator(object):
             except smtplib.SMTPConnectError:
                 continue
 
+    LOCALPART_FORBIDDEN_RE = re.compile(r'^(?:[./|]|.*[@%!`#&?]|.*/\.\./)')
+
     def __call__(self, value):
         DjangoEmailValidator()(value)
 
         localpart, hostname = value.split('@', 1)
+        if self.LOCALPART_FORBIDDEN_RE.match(localpart):
+            raise ValidationError(DjangoEmailValidator.message, code=DjangoEmailValidator.code)
         if app_settings.A2_VALIDATE_EMAIL_DOMAIN:
             mxs = self.query_mxs(hostname)
             if not mxs:
diff --git a/tests/test_validators.py b/tests/test_validators.py
index b08a8a34..26d552da 100644
--- a/tests/test_validators.py
+++ b/tests/test_validators.py
@@ -48,13 +48,17 @@ def test_digits_password_policy(settings):
     validate_password('12345678')
 
 
-def test_email_validator():
+@pytest.mark.parametrize('email', ['nok', '@nok.com', 'foo@bar\x00',
+                                   'foo&@bar', '|a@nok.com', 'a/../b@nok.com',
+                                   'a%b@nok.com', 'a!b@nok.com', 'a#b@nok.com',
+                                   'a&b@nok.com', 'a?b@nok.com'])
+def test_email_validator_nok(email):
     with pytest.raises(ValidationError):
-        EmailValidator()('nok')
-    with pytest.raises(ValidationError):
-        EmailValidator()('@nok.com')
-    with pytest.raises(ValidationError):
-        EmailValidator()('foo@bar\x00')
+        EmailValidator()(email)
+
+
+@pytest.mark.parametrize('email', ['ok@ok.com', 'a|b@ok.com', 'a/..b@ok.com'])
+def test_email_validator_ok(email):
     EmailValidator()('ok@ok.com')
 
 
-- 
2.29.1