User email validation in password reset broken for TLD > 4 characters, fix included

SuiteCRM Max 7.1.1

Description:
User emails with top-level domains of > 4 characters are characterized as invalid.

To reproduce:
Enter a user’s email address as, e.g., foo@bar.private, then go to admin panel and try to send password reset mail.

Solution:
Change line 56 in

modules/Users/GeneratePassword.php

from

$regexmail = "/^\w+(['\.\-\+]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,4})+\$/";

to

$regexmail = "/^\w+(['\.\-\+]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,})+\$/";

Maybe it would be good to do some sanity checking on the TLD instead of saying OK to anything with >2 characters, but it is done this way in modules/Employees/Forms.php and modules/Campaigns/GenerateWebToLeadForm.php so I just did the same here.

$diff -u ~hcb/Downloads/suitecrm7.1.1/modules/Users/GeneratePassword.php modules/Users/GeneratePassword.php
--- /Users/hcb/Downloads/suitecrm7.1.1/modules/Users/GeneratePassword.php	2013-10-21 09:20:26.000000000 +0200
+++ modules/Users/GeneratePassword.php	2014-05-15 20:51:12.000000000 +0200
@@ -53,7 +53,7 @@
 
   	$mod_strings=return_module_language('','Users');
   	$res=$GLOBALS['sugar_config']['passwordsetting'];
-	$regexmail = "/^\w+(['\.\-\+]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,4})+\$/";
+	$regexmail = "/^\w+(['\.\-\+]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,})+\$/";
 
 ///////////////////////////////////////////////////
 ///////  Retrieve user

Thanks for this post, and for your fix/solution!

Thanks. And, it should be me thanking you for open-sourcing SuiteCRM

By the way:

By when will this be incorporated? This was reported 10 months ago already. The newest version still has the same bug.

Hi,

I’ve added this to the list of GitHub issues here: https://github.com/salesagility/SuiteCRM/issues/218

Thanks,
Jim

there’s another location as well I believe. In /include/HTMLPurifier.standalone.php line 13231 is also doing

$result = preg_match(’/^[A-Z0-9._%-]+@[A-Z0-9.-]+.[A-Z]{2,4}$/i’, $string);

in case that needs changing too.