mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-15 20:09:18 -05:00
error 500 on login - invalid email address #9027
Closed
opened 2025-11-02 08:26:21 -06:00 by GiteaMirror
·
9 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#9027
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @fnetX on GitHub (Jun 5, 2022).
Description
A user on Codeberg reported they cannot login any more, because they only see an error 500 screen. We were able to reproduce: Users with an email address that is considered invalid by Gitea after it was registered have trouble signin in. It was
_@<hostname>in this case.It seems to work after reloading the page, but is still worrisome. Please confirm that users who do have valid email addresses that aren't considered valid by Gitea any more are not limited in their actions (e.g. receiving notifications, resetting password, etc).
I can only confirm that the mail address is still rejected by recent Gitea versions.
Further, editing the user lead to unhelpful error messages in the admin panel and lead to the "Create User Account" instead of the "edit" view, but I don't know how to provide more information on that weirdness, but I hope this will be fixed, too.
Gitea Version
1.16.8
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Codeberg, built from slightly modified fork,.
Database
MySQL
@lunny commented on GitHub (Jun 6, 2022):
From v1.16.4, the first charactor of email should be
[a-zA-Z0-9]for security reason, this should be a break change because users may registered email address before this version.ref:
1cb649525d (diff-a3ba59893d1c58125915ec8374a660356a259362e50c2d5dd3b04801dfc291e6R137-R141)@u0nel commented on GitHub (Jun 6, 2022):
what are the security reasons exactly?
@lunny commented on GitHub (Jun 14, 2022):
I can't remember that clearly, some reasons are some invisible characters in the email address could be accepted before.
@HermannDppes commented on GitHub (Jul 4, 2022):
As outlined in #19102, people were passing the addresses incorrectly to sendmail (it is, after all, far to easy to accidentally misuse weakly typed dynamic languages such as those effectively implemented by any command line interface). So, because these people were not escaping the attacker-controlled inputs properly, it was made harder to supply inputs necessitating an escape.
@u0nel commented on GitHub (Jul 4, 2022):
the email address didn't start with
-or--and didn't include any invisible characters, so the two previous comments don't apply to this case (localpart being_)@zeripath commented on GitHub (Jul 4, 2022):
There are a few issues:
if #19990 would be merged we could finally begin extending ambiguous character detection throughout Gitea as this provides the correct detection framework to do it. Then we can finally make it clear when this happening.
-in an email address will cause that email address to be interpreted as an option.Now most sendmail implementations have an
--option to terminate option interpretation but ... I cannot be certain how many do. Generally it's considered bad form to have-as the initial character for this reason.@balanceofcowards commented on GitHub (Aug 29, 2022):
Thanks for the work on this. I ran into this issue as well (also having an e-mail address starting with an underscore), and I'd like to comment a few things. NB: The file in question is models/user/email_address.go.
Ambiguous characters such as mentioned by @zeripath are a non-issue here: they are already correctly filtered by the regex in line 125. Indeed, RFC 5322 is pretty clear about the allowed characters in e-mail local parts (cf. RFC5322, pg 13 & 17/18).
The sendmail issue sounds to me like a typical code injection problem. The canonical solution then would be to escape user-provided strings (e.g., by quoting the e-mail address when used as a shell parameter), no? If the sendmail issue cannot be fixed by quoting, please at least limit the damage. The problem is quite specifically the leading hyphen -- it should suffice to check for this character.
The request / bug report here is to accept RFC-compliant e-mail addresses. If the first character of an e-mail address is required to be alphanumeric, then the comment in line 43 becomes misleading: Many standard compliant addresses will be rejected (as is the case, here).
I do not agree that #19903 fixes this bug -- it only provides a warning to server admins and does not indicate in what way an RFC-compliant address is considered invalid. Plus, I still have this problem on gitea 1.17.0 and I do not get a warning using 'gitea doctor'.
I would ask to reopen this issue. Also, I just sent a related PR: #20991
@delvh commented on GitHub (Aug 29, 2022):
Quote from @zeripath regarding this issue when I asked him about it some time ago:
@balanceofcowards commented on GitHub (Aug 29, 2022):
Hm, yes, but as I just argued: Ambiguous characters are a non-issue here. They are already filtered by the regex, and would not be RFC-compliant, anyway. The issue here is RFC-compliant addresses being rejected.