Problem/Motivation
Emails that pass Drupal's (in this case using egulias/EmailValidator) validation but fail validation in a service being used (for example Amazon's SES) can lead to undeliverable emails or even worse when using something like queue_mail can lead to clogged queues resulting in no email being sent at all.
The issue I'm facing is the validator currently accepts "example@email .com" (with the space) as a valid email. This leads to SES rejecting the email with the message:
Expected response code 250 but got code "554", with message "554 Transaction failed: Domain contains control or whitespace "
Due to that email being used in the Reply-To header.
Proposed resolution
Tighten the email validation on the Drupal end, or propose a fix upstream.
Comment | File | Size | Author |
---|---|---|---|
#43 | 3061074-43.patch | 2.41 KB | longwave |
#41 | 3061074-41.patch | 1.11 KB | chr.fritsch |
#39 | 3061074-39-8.9.x.patch | 46.5 KB | longwave |
#39 | 3061074-39-9.1.x.patch | 5.31 KB | longwave |
#39 | 3061074-39-9.2.x.patch | 5.27 KB | longwave |
Comments
Comment #2
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedThis seems similar to https://github.com/egulias/EmailValidator/issues/15.
The good news is that you can override or decorate the service while waiting for a solution. You could do the following, for example:
FWIW here is a patch that changes how Drupal core uses the validator. I haven't tested it in the Drupal context.
Comment #3
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedComment #4
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedComment #8
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedComment #9
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedThis is probably preferable so as to never have a random fail in UserEditTest.
Comment #10
acbramley CreditAttribution: acbramley at PreviousNext commentedYeah the problem is that DNSCheckValidation requires the
intl
extension.Comment #11
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedAFAIK via egulias/EmailValidator issues, the email address you cited in the summary may be technically legal in the email RFC but not actually a routable domain. There are probably other cases of oddities like this.
Comment #12
acbramley CreditAttribution: acbramley at PreviousNext commentedThanks so much for jumping on this so fast @cilefen, patch LGTM!
Comment #15
jungleThe patch in #11 is still valid. And RED (#3)/GREEN(#11) as expected
Do not understand why this change is necessary. It's out of scope from my understanding. Or am I missed something? Otherwise it's RTBC to me.
Thanks!
Comment #16
jungleFound in #9
Then tagging "Bug Smash Initiative" and setting to RTBC.
Comment #17
jungleComment #18
jungleSetting the target version to the current dev branch.
Comment #19
larowlanThere might be an issue here, in so far as existing records that were previously valid, may now be invalid.
I'm going to ask other committers to see if we need to worry about that.
Comment #20
catchI think we should do manual testing and decide from there how much of a problem this is, here's some rough steps of things to try:
1. Register an account with an invalid e-mail -
foo@example .com
2. Try to register a second account with the 'correct' version of that same e-mail:
foo@example.com
3. Apply the patch
4. Log in to the site, go to your user profile, try to save - do you get a validation error?
5. Try to change
foo@example .com
tofoo@example.com
and save again.(also the same steps as above, but missing out step #2)
Will definitely need a change record too.
Comment #21
catchBack to needs review for now.
Comment #22
longwaveSo I dug into the source package and found some tests that cover this case and more:
https://github.com/egulias/EmailValidator/blob/cfa3d44/tests/EmailValida...
Upstream considers this case as "pass with warnings". Should we expand this issue to fail validation if upstream returns any warnings, rather than add the hardcoded check for spaces? I suspect we should be rejecting cases such as
example@invalid.example(examplecomment).com
andexample@[127.0.0.1]
as invalid email addresses as well, even if they are technically valid per the RFC.Comment #23
larowlanYeah that seems reasonable
Comment #25
DieterHolvoet CreditAttribution: DieterHolvoet at Wieni commentedIs there any reason not to use both
RFCValidation
andDNSCheckValidation
as in the example in the README of the<a href="https://github.com/egulias/EmailValidator#user-content-available-validations">egulias/EmailValidator</a>
repository? This would fix some other issues aswell.Comment #26
longwave@DieterHolvoet I think that would have to be opt-in, as we can't guarantee all Drupal sites have outbound network access to resolve DNS records. There are likely also performance considerations as DNS lookups take time.
Comment #27
longwaveBetween 9.0.x and 9.1.x we upgraded egulias/email-validator and this seems to have resolved this issue.
Reuploading the test-only patch from #3.
If 9.0.x fails but 9.1.x passes I think we can just close this as won't fix.
Comment #29
longwaveComment #30
acbramley CreditAttribution: acbramley at PreviousNext commentedNice catch @longwave!! I think we can safely remove Needs manual testing as you found this fix via manual testing :)
Comment #31
longwaveUpstream this looks to be fixed by https://github.com/egulias/EmailValidator/commit/fda08d3d1b37d20e0a168e0... in 2.1.22.
However even in 9.2.x we only have a minimum version of
egulias/email-validator:^2.0
and we have no specific test for this case or min-max dependency testing that would cover this.So what do we do now? Should we bump the minimum version of
egulias/email-validator
? Should we add a specific test for this?Comment #32
longwaveBumping this one, as I've run into a production bug around this issue.
I have a site on 8.9.x using Drupal Commerce. A customer accidentally put a space in the domain part of their email address at checkout. I have a custom third party integration at the end of the checkout process that requires a valid email address. This integration failed due to a validation error, and so the order was stuck in Placed state and never completed.
This site is using
drupal/core-recommended
soegulias/email-validator
is pinned to 2.1.17 and I can't just bump the version to fix the root cause of the bug.Are we allowed to bump minor versions of dependencies in bug fix releases of core to solve issues like this?
Comment #33
longwavehttps://www.drupal.org/about/core/policies/core-dependencies-policies/co... says
In this case I think the risk of regression is small and the bug is worth fixing, therefore we should bump the minimum version of egulias/email-validator in all supported branches.
Comment #34
cilefen CreditAttribution: cilefen commented2.1.17 to 2.1.22 is a patch level change and can be done in any Drupal release to fix bugs.
Comment #35
longwaveSee #27 for test-only patch.
Comment #39
longwaveForgot to run
composer update --lock
8.9.x patch is much bigger because all the "support" sections are added to the lock file.
Comment #41
chr.fritschWe should get this done, not only because of the spacing issue also versions prior to 2.1.16 throw an error "Trying to access array offset on value of type null" on PHP 7.4
See https://github.com/egulias/EmailValidator/commit/5065fafc8c29d229ff207f2...
Comment #43
longwavecomposer.lock also needs updating.
Comment #44
init90LGTM
Comment #45
alexpottBumping this to critical since PHP 7.3 is about to be unsupported and our minimum version constraints will not be compatible with the minimum supported version of PHP - which seems really odd.
In an ideal world composer would fix this for us and somehow know which version of egulias/EmailValidator to choose but there's no way to update old releases and say that it's not compatible with a PHP version that was not around when it was released.
Comment #46
catchI think we still need the manual testing from #3061074-20: egulias/EmailValidator prior to 2.1.22 allows addresses with a space in the domain part for what behaviour we get with existing data, and whether it's allowed duplicate e-mail addresses to be used. The tag was removed, but that seems to have been unrelated to the upgrade path.
Comment #47
longwaveNote that 9.1.x shipped with 2.1.22 and 9.2.x/9.3.x/9.4.x already ship with 2.1.25, and these versions will be used by core-recommended. This issue is now just changing the minimum version that is present in composer.json to prevent older versions from being used, and adding a test for the previously broken behaviour.
See also #3238763: Upgrade egulias/email-validator to v3 as I think 2.1.25 is likely the last release of the 2.x series.
Comment #50
catchOK that's fair enough, if we've already updated it doesn't make sense to hold up changing the minimum version to the one we've already updated to.
Committed/pushed to 9.4.x and cherry-picked to 9.3.x, thanks!