Last modified: 2011-11-02 06:24:13 UTC
I was playing around with the Contest extension and used "hhhh@f" as my e-mail address. The extension accepted this e-mail address (which ought to be the subject of another bug), but more disturbingly, the extension silently set my global e-mail address as "hhhh@f" and marked the e-mail address as being confirmed/authenticated. The Contest extension shouldn't touch user.user_email at all. And it most certainly shouldn't do so silently.
So far for the build in PHP mail validation function... wtf... The email address field in the signup form should default to your set email address if you have any. Just had a look, and this appears to work as it should. You are right that changing the address should cause it to be in non-validated state, this is something I overlooked. However, the change of the user email field is deliberate, and was discussed before creating the extension. The idea here is that it makes little sense to have separate storage for the email address of a user, as it's really one piece of info, hence the usage of the user_email field in the user table. The field in the contest extension is there to keep a copy that cannot be changed after contest end.
(In reply to comment #1) > So far for the build in PHP mail validation function... wtf... I imagine it's accounting for something like... user@localhost. > The email address field in the signup form should default to your set email > address if you have any. Just had a look, and this appears to work as it > should. Yes, it does. But... > You are right that changing the address should cause it to be in > non-validated state, this is something I overlooked. Much more importantly, if it's going to change user.user_email to a new value, it should first confirm this with the user. "Your e-mail address is currently set to foo@bar.com. You've indicated that your e-mail address is baz@bang.com. Would you like to update your Wikimedia account?" Or something. > However, the change of the user email field is deliberate, and was discussed > before creating the extension. Changing the e-mail address is fine. _Silently_ changing it is not.
wtf yes this should definitely not be changing your user account settings without warning...
Right. Will add a warning then.
(In reply to comment #0) > I was playing around with the Contest extension and used "hhhh@f" as my e-mail > address. The extension accepted this e-mail address (which ought to be the > subject of another bug), That is a perfectly valid address per the RFC from my understanding... This should not be changed.
(In reply to comment #5) > (In reply to comment #0) > > I was playing around with the Contest extension and used "hhhh@f" as my e-mail > > address. The extension accepted this e-mail address (which ought to be the > > subject of another bug), > That is a perfectly valid address per the RFC from my understanding... This > should not be changed. Cept unless the MediaWiki install has a local hosts modification or is running in an intranet with custom hosts there's no way MediaWiki can send to that address. It would probably be useful to validate the tlds used in e-mail addresses to ensure the domain in the e-mail is valid for use. Of course with a config option to disable it for intranets and whatnot. Mozilla's Public Suffix List project would be useful for this: http://publicsuffix.org/
Added warning message in r101585