[GH-ISSUE #31] API returns "invalid email address" for every email address #18

New issue

Closed

opened 2026-02-25 23:39:37 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 23:39:37 +03:00

Owner

Originally created by @Dan-Q on GitHub (Aug 12, 2021).
Original GitHub issue: https://github.com/HaschekSolutions/opentrashmail/issues/31

Change 935d11a189 wraps strtolower($_REQUEST['email']) in basename(realpath(...)), which is important for preventing path traversal attacks... but breaks much of the functionality.

Making this change means that the $email variable contains a path, not an email address, and so subsequent calls to filter_var($email, FILTER_VALIDATE_EMAIL) always return false. Therefore, the API does not work.

Suggested change: perform all email filtering at the top, before running basename/realpath, and return the error only if (a) an email request parameter is passed and (b) the filter returns false. Then just use and trust the $email variable in the attachment, load, and list methods.

Originally created by @Dan-Q on GitHub (Aug 12, 2021). Original GitHub issue: https://github.com/HaschekSolutions/opentrashmail/issues/31 Change 935d11a189552195c1f5f90d0908936801073cde wraps `strtolower($_REQUEST['email'])` in `basename(realpath(...))`, which is important for preventing path traversal attacks... but breaks much of the functionality. Making this change means that the `$email` variable contains a _path_, not an email address, and so subsequent calls to `filter_var($email, FILTER_VALIDATE_EMAIL)` always return `false`. Therefore, the API does not work. Suggested change: perform all email filtering at the top, _before_ running `basename`/`realpath`, and return the error only if (a) an email request parameter is passed and (b) the filter returns false. Then just use and trust the `$email` variable in the `attachment`, `load`, and `list` methods.