View Issue Details

IDProjectCategoryView StatusLast Update
0025619mantisbtcustom fieldspublic2021-01-11 17:26
Reporterrogueresearch Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Product Version2.19.0 
Summary0025619: $g_limit_email_domains impacts custom e-mail fields, which is unexpected from its documentation
Description

The Admin Guide here:
http://www.mantisbt.org/docs/master/en-US/Admin_Guide/Admin_Guide.pdf

says:

"$g_limit_email_domains - Only allow and send email to addresses in the given domain(s). This is useful as a security feature and it is also useful in cases like Sourceforge where its servers are only limited to send emails to SourceForge email addresses in order to avoid spam. $g_limit_e- mail_domains = array( 'users.sourceforge.net', 'sourceforge.net' );"

After setting this to:

$g_limit_email_domains = array( 'rogue-research.com' );

I am no longer able to edit issues that use a 'custom field' of 'e-mail' type, mantis will report:

APPLICATION ERROR 0001303
Invalid value for field "Customer Email"

My customers of course don't have emails in my own domain. :)

From its documentation, I wouldn't have expected that $g_limit_email_domains limit what can go into database fields, but only to limit emails that mantis actually sends out.

TagsNo tags attached.

Relationships

related to 0011610 closeddhx Regular expressions to validate custom list field 

Activities

rogueresearch

rogueresearch

2020-01-10 19:16

reporter   ~0063423

Hmmm, I just tried in Mantis 2.23.0 on a test server, and don't seem to reproduce it anymore...

Did someone fix this?

I'll try again on my production server once I update it too...

dregad

dregad

2020-01-10 19:37

developer   ~0063424

I don't think this has been touched. Maybe it was caused by your setup. Please let us know after checking, whether the problem is indeed fixed, so we can resolve this issue.

rogueresearch

rogueresearch

2020-02-15 21:45

reporter   ~0063639

I've finally tried on my production server (now 2.23.0), and this bug does reproduce.

What logs or steps would be helpful to debug this?

Thanks.

rogueresearch

rogueresearch

2021-01-10 18:41

reporter   ~0064966

So I just searched the Mantis codebase, and find:

  • $g_limit_email_domains is consulted only by the email_is_valid function
  • the custom_field_validate function has:
        case CUSTOM_FIELD_TYPE_EMAIL:
            if( $p_value !== '' ) {
                $t_valid &= email_is_valid( $p_value );
            }

So indeed the behaviour I'm seeing does indeed seem to be what the code is doing, and indeed does not match the documentation.

Question is: which is wrong, the code or the docs?

Personally, I'd say the code is buggy. I'd like to constrain my server from sending email outside my company, but that doesn't mean I want to forbid custom database fields from using external email addresses.

atrol

atrol

2021-01-11 16:31

developer   ~0064968

Last edited: 2021-01-11 16:32

Behavior was introduced in 1.2.1 when implementing 0011610

We could

  1. remove the validation
  2. use the same validation that is used for strings (allow empty value, check regexp, check min/max length)
  3. implement an own validation (e.g. just check PHPMailer::validateAddress( $p_email, 'html5' ), similar to the check in email_is_valid)