Re: Checking if email is valid
OK. I've been doing some reading and that you should avoid regex to check email addresses. So what I was thinking was something like this: if type(email_recipient) != email.message.Message: I just don't know why that particular line isn't working. Thank you! --- Original Message --- On Wednesday, 1 November 2023 at 10:09, Simon Connah wrote: > > > Hi, > > I'm building a simple project using smtplib and have a question. I've been > doing unit testing but I'm not sure how to check if an email message is > valid. Using regex sounds like a bad idea to me and the other options I found > required paying for third party services. > > Could someone push me in the right direction please? I just want to find out > if a string is a valid email address. > > Thank you. > > Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Checking if email is valid
Hi, I'm building a simple project using smtplib and have a question. I've been doing unit testing but I'm not sure how to check if an email message is valid. Using regex sounds like a bad idea to me and the other options I found required paying for third party services. Could someone push me in the right direction please? I just want to find out if a string is a valid email address. Thank you. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > On 2023-11-01, Simon Connah via Python-list python-list@python.org wrote: > > > I'm building a simple project using smtplib and have a > > question. I've been doing unit testing but I'm not sure how to check > > if an email message is valid. > > > Send an e-mail using it? If the right person gets the e-mail, then > it's valid? > > > Using regex sounds like a bad idea to me and the other options I > > found required paying for third party services. > > > > Could someone push me in the right direction please? I just want to > > find out if a string is a valid email address. > OK. It is going to take me some time to get round to every reply here so please bear with me. Basically I'm writing unit tests and one of them passess in a string with an invalid email address. I need to be able to check the string to see if it is a valid email so that the unit test passess. > > You'll have to define "valid". Valid syntactically according to > ? Will be accepted by an SMTP server somewhere? Corresponds to > > a real person? > > Make sure it has an '@' in it. Possibly require at least one '.' > after the '@'. > > Trying to do anything more than that is just wasting your time and > annoying the mule. > Valid as in conforms to the standard. Although having looked at the standard that might be more difficult than originally planned. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > > On Thu, 2 Nov 2023 at 05:21, Simon Connah via Python-list > python-list@python.org wrote: > > > Could someone push me in the right direction please? I just want to find > > out if a string is a valid email address. > > > There is only one way to know that a string is a valid email address, > and that's to send an email to it. > > What is your goal though? For example, if you're trying to autolink > email addresses in text, you don't really care whether it's valid, > only that it looks like an address. > My goal is to make a simple mailing list platform. I guess I could just send email to an address and if it bounces then I can remove it from the database. Thing is I'm not sure how close to a real email address an email has to be in order to be bounced. If it was completely wrong it might just swallowed up. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > On 2023-11-01, Chris Angelico ros...@gmail.com wrote: > > > On Thu, 2 Nov 2023 at 05:21, Simon Connah via Python-list > > python-list@python.org wrote: > > > > > Could someone push me in the right direction please? I just want to > > > find out if a string is a valid email address. > > > > There is only one way to know that a string is a valid email address, > > and that's to send an email to it. > > > > What is your goal though? For example, if you're trying to autolink > > email addresses in text, you don't really care whether it's valid, > > only that it looks like an address. > > > There's often value in even only partially-effective checks though. > With an email address you can easily check to see if it has an "@", > and if the stuff after the "@" is a syntactically valid domain name. > You can also go a bit further and check to see if the domain has an > MX record, and if it doesn't then it is extremely unlikely that the > address is valid. > -- > https://mail.python.org/mailman/listinfo/python-list Apparently UTF-8 characters are allowed in email addresses now. That is going to lead to a whole new level of pain for determining if an email address is correct. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > > See https://www.linuxjournal.com/article/9585?page=0,0 > That looks painful to maintain! signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> Agreed. > > However, with names that are frequently misspelled or which are > commonly-spelled slightly differently, the 'trick' is to anticipate > problems and set up aliases which forward messages to the correct address*. > > eg Kelvin -> Kevlin > > Niel, Neal, Neale (etc) -> Neil > > > (in the same way that GoodLookingGuy@mydomain -> me, > > or (more likely) MailAdmin -> me) > > > > * however, this can end-up perpetuating the mistake, rather than > correcting... > > -- > Regards, > =dn I'm not sure that would be practical. As I'm setting up a mailing list server I don't know if someone in the future is going to need to use one of those aliases and testing manually would be tedious. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> Please re-read. > Discussion is about "closeness". > Thus, what you might expect from email servers and Admins, NOT what you > should do. That part should be quite evident by now! > My apologies for making a mistake. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > > On 11/2/23 00:42, Simon Connah via Python-list wrote: > > > Basically I'm writing unit tests and one of them passess in a string > > with an invalid email address. I need to be able to check the string > > to see if it is a valid email so that the unit test passess. > > > If you truly have managed to code an RFC-compliant verifier, I commend you. Sorry I wasn't clear. I haven't written anything of the sort but I was looking to see if there was a third party option but from feedback in this thread it appears that way is considered a bad option. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > On 11/3/2023 6:51 AM, Jon Ribbens via Python-list wrote: > > > On 2023-11-03, Chris Angelico ros...@gmail.com wrote: > > > > > On Fri, 3 Nov 2023 at 12:21, AVI GROSS via Python-list > > > python-list@python.org wrote: > > > > > > > My guess is that a first test of an email address might be to see if > > > > a decent module of that kind fills out the object to your > > > > satisfaction. You can then perhaps test parts of the object, rather > > > > than everything at once, to see if it is obviously invalid. As an > > > > example, what does u...@alpha...com with what seems to be lots of > > > > meaningless periods, get parsed into? > > > > > > What do you mean by "obviously invalid"? Have you read the RFC? > > > > What do you mean by 'What do you mean by "obviously invalid"?' > > Have you read the RFC? > > > About reading the RFC, there's this ... but read the comments too ... > > https://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx/ > > Wow. I'm half tempted to make a weird email address to see how many websites get it wrong. Thank you for the link. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> > > On 2023-11-02, Simon Connah simon.n.con...@protonmail.com wrote: > > > Valid as in conforms to the standard. Although having looked at the > > standard that might be more difficult than originally planned. > > > Yes. Almost nobody actually implements "the standard" as in RFC 2822 > section 3.4.1 (which can contain, for example, non-printable control > characters, and comments), nor is it particularly clear that they > should. So while checking against "the spec" might sound right, it's > highly unlikely that it's what you actually want. Would you really > want to allow: > > (jam today) "chris @ \"home\""@ (Chris's host.)public.example > > for example? And would you be able to do anything with it if you did? As I said in another post it would be interesting to see what broke when you tried to use an esoteric email address in the wild. Maybe when I'm bored :D. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Checking if email is valid
> I can see how the truley dim-witted might forget that other countries > have phone numbers with differing lengths and formatting/punctuation, > but there are tons of sites where it takes multiple tries when > entering even a bog-standard USA 10-0digit phone nubmer because they > are completely flummuxed by an area code in parens or hyphens in the > usual places (or lack of hyhpens in the usual places). This stuff > isn't that hard, people... The thing I truly hate is when you have two telephone number fields. One for landline and one for mobile. I mean who in hell has a landline these days? And not accepting your mobile number in the landline number field is just when I give up. Or having a landline only field that does not accept mobile phones. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Sanitise user input for a script
I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections. I could do it either on the website itself or by doing it on the host machine. I'm thinking of using argparse but I'm aware it does not offer any protection itself. If someone has any suggestions I'd appreciated it. If you need more information then please let me know. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Sanitise user input for a script
On Friday, 30 August 2024 at 21:23, Peter J. Holzer via Python-list
wrote:
>
>
> On 2024-08-30 19:18:29 +0000, Simon Connah via Python-list wrote:
>
> > I need to write a script that will take some user input (supplied on a
> > website) and then execute a Python script on a host via SSH. I'm
> > curious what the best options are for protecting against malicious
> > input in much the smae way as you sanitise SQL to protect against SQL
> > injections.
>
>
> (Aside: Don't "sanitize" SQL. Use placeholders.)
>
> > I could do it either on the website itself or by doing it on the host
> > machine.
>
>
> You will have to do it in the web site.
>
> The SSH manual states:
>
> | If supplied, the arguments will be appended to the command, separated by
> | spaces, before it is sent to the server to be executed.
>
> So whether you call
> ssh myhost print_args a b c
> or
> ssh myhost print_args a "b c"
> in both cases exactly the same string will be sent to myhost, and it
> won't have any chance to distinguish them.
>
> So you will either have to filter ("sanitize") the arguments or properly
> quote them before invoking SSH.
>
> > If someone has any suggestions I'd appreciated it. If you need more
> > information then please let me know.
>
>
> First, if there is any chance that your arguments can contain characters
> with meaning to the shell (like an apostrophe in a name), get the
> quoting correct. If you can, transmit those arguments in a different way
> (e.g. as input, maybe just nul-separated, may as JSON, or whatever).
>
> That removes the SSH-specific problems. There may still be problems with
> the python script on the host.
>
> Then, do all the validation you can on the web server. Reject all
> requests which aren't valid. But be sure to check against the relevant
> specifications, not your prejudices (You may not think that an
> apostrophe in an email address is valid, but it is). Include meaningful
> error messages (not just "input invalid"). Helping your legitimate users
> is more important than slightly inconveniencing an attacker.
>
Thank you very much. That is very useful.
Simon.
signature.asc
Description: OpenPGP digital signature
--
https://mail.python.org/mailman/listinfo/python-list
Re: Sanitise user input for a script
On Friday, 30 August 2024 at 23:35, Thomas Passin via Python-list wrote: > > > On 8/30/2024 3:18 PM, Simon Connah via Python-list wrote: > > > I need to write a script that will take some user input (supplied on a > > website) and then execute a Python script on a host via SSH. I'm curious > > what the best options are for protecting against malicious input in much > > the smae way as you sanitise SQL to protect against SQL injections. > > > You should never, never, never "sanitize" SQL. Use prepared statements > instead. Yes. Sorry. I forgot what it was called and accidentally called it sanitising instead but I'm using prepared statements in psycopg 3 for SQL. > > What kind of user input do you expect to get that would need to be > "sanitized"? How are you going to use it such that malicious input might > cause trouble? I hope you aren't planning to exec() it. Are you > expecting a user to send in a script and your server will execute it? > Better read up on sandboxing, then. No. I'm not planning on exec() a random script. I have a prepared Python script which configures various things. The web server connects to the server via SSH and runs my Python script which then runs commands like bhyve (FreeBSD) and it also does things like configure the firewall config file to change firewall rules. The customer has no direct access to the Python script. In terms of arguments the script that deals with bhyve for instance takes arguments such as CPU count and RAM amount. > > If you won't be exec()ing a script, then you can consider creating an > API where each method of the API can only do limited things, and only > with certain parameters not all of all them. The SSH message can include > the name of the method to use. > > And follow what Peter Holzer wrote. Don't forget that quoting practices > are not the same between Windows and Linux. Thank you. I'll look into this. Makes sense. > > > I could do it either on the website itself or by doing it on the host > > machine. > > > > I'm thinking of using argparse but I'm aware it does not offer any > > protection itself. > > > > If someone has any suggestions I'd appreciated it. If you need more > > information then please let me know. > > > > Simon. > > > -- > https://mail.python.org/mailman/listinfo/python-list signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
