Merged PR 21713: [release/3.1] MSRC 68590 - newlines in domain literals

block embedded CRLF by default.
dotnet · Mar 29, 2022 · 4f6b8ec · 4f6b8ec
1 parent b2244b6
commit 4f6b8ec
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/...onentModel.Annotations/src/System/ComponentModel/DataAnnotations/EmailAddressAttribute.cs b/...onentModel.Annotations/src/System/ComponentModel/DataAnnotations/EmailAddressAttribute.cs
@@ -8,6 +8,10 @@ namespace System.ComponentModel.DataAnnotations
         AllowMultiple = false)]
     public sealed class EmailAddressAttribute : DataTypeAttribute
     {
+        private static readonly char[] s_newLines = new char[] { '\r', '\n' };
+        private static bool s_allowFullDomainLiterals =
+            AppContext.TryGetSwitch("System.Net.AllowFullDomainLiterals", out bool enable) ? enable : false;
+
         public EmailAddressAttribute()
             : base(DataType.EmailAddress)
         {
@@ -28,6 +32,11 @@ public override bool IsValid(object value)
                 return false;
             }
 
+            if (!s_allowFullDomainLiterals && valueAsString.IndexOfAny(s_newLines) >= 0)
+            {
+                return false;
+            }
+
             // only return true if there is only 1 '@' character
             // and it is neither the first nor the last character
             int index = valueAsString.IndexOf('@');

diff --git a/...del.Annotations/tests/System/ComponentModel/DataAnnotations/EmailAddressAttributeTests.cs b/...del.Annotations/tests/System/ComponentModel/DataAnnotations/EmailAddressAttributeTests.cs
@@ -35,6 +35,7 @@ protected override IEnumerable<TestCase> InvalidValues()
             yield return new TestCase(new EmailAddressAttribute(), "someName");
             yield return new TestCase(new EmailAddressAttribute(), "someName@");
             yield return new TestCase(new EmailAddressAttribute(), "someName@[email protected]");
+            yield return new TestCase(new EmailAddressAttribute(), "someName@[\r\n\tsomeDomain]");
         }
 
         [Fact]

diff --git a/src/System.Net.Mail/src/System/Net/Mail/MailAddress.cs b/src/System.Net.Mail/src/System/Net/Mail/MailAddress.cs
@@ -15,6 +15,10 @@ namespace System.Net.Mail
     //
     public partial class MailAddress
     {
+        private static readonly char[] s_newLines = new char[] { '\r', '\n' };
+        private static bool s_allowFullDomainLiterals =
+            AppContext.TryGetSwitch("System.Net.AllowFullDomainLiterals", out bool enable) ? enable : false;
+
         // These components form an e-mail address when assembled as follows:
         // "EncodedDisplayname" <userName@host>
         private readonly Encoding _displayNameEncoding;
@@ -152,6 +156,12 @@ private string GetHost(bool allowUnicode)
                     throw new SmtpException(SR.Format(SR.SmtpInvalidHostName, Address), argEx);
                 }
             }
+
+            if (!s_allowFullDomainLiterals && domain.IndexOfAny(s_newLines) >= 0)
+            {
+                throw new SmtpException(SR.Format(SR.SmtpInvalidHostName, Address));
+            }
+
             return domain;
         }