- Issue created by @znerol
- 🇨🇭Switzerland znerol
Postponed on ✨ Use structured DSN instead of URI in system.mail mailer_dsn Fixed .
- Status changed to Active
about 1 year ago 9:47pm 23 November 2023 - 🇨🇭Switzerland znerol
According to RFC 3986 Appendix A, syntax validation of the
scheme
key seems possible with a regex.ABNF for scheme is:
scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
Translated to a regex:
/[a-z][a-z0-9+\-\.]*/i
The
host
part seems tricky just with a regex. It may be an IP address literal or alternatively it may be a string of alphanumeric plus quite some punctuation characters. The host part may even contain percent escaped characters. Also the IP address literals are allowed in numerous different formats.I think that for the
host
field it would be best to implement a custom validator.There is no restriction for the
user
andpassword
fields. The parse_url and urldecode (as used by DSN::fromString()) happily accept various control characters (including "%00"). Remote systems probably wouldn't accept user names and passwords with newlines and tabs, but from a spec point of view, such strings are acceptable.Same for the option values. They actually can contain anything.
- Merge request !5535Issue #3401255: Tighten config validation schema of system.mail mailer_dsn → (Open) created by znerol
- Status changed to Needs review
about 1 year ago 1:08pm 24 November 2023 - 🇨🇭Switzerland znerol
It looks like
parse_url()
accepts a wide range of characters in the host part which are clearly not allowed according to the RFC. E.g., non-ascii letters, the ampersand, colons outside of brackets, etc. However, it replaces control characters with an underscore (including newlines).Hence, let's reuse the regex from the label data type for the host field.
- Status changed to Needs work
about 1 year ago 10:33pm 25 November 2023 - 🇺🇸United States smustgrave
For the new schema type could we get a change record.
- Status changed to Needs review
about 1 year ago 10:55am 26 November 2023 - Status changed to RTBC
about 1 year ago 5:59pm 26 November 2023 - 🇺🇸United States smustgrave
Thanks! The config move to it's own type seems fine to me.
- Status changed to Needs work
12 months ago 6:59am 24 December 2023 - 🇳🇿New Zealand quietone
This is more than just a config move, it is also adding constraints. And as such I think those new constraints need to be accompanied with tests.
- Status changed to Needs review
7 months ago 1:45pm 12 May 2024 - Status changed to Needs work
7 months ago 5:37pm 14 May 2024 - 🇺🇸United States smustgrave
Left a comment on the MR.
Don't think we will need an upgrade path as the types don't seem to be changing but not 100% on that.
- Status changed to Needs review
7 months ago 6:39am 16 May 2024 - 🇨🇭Switzerland znerol
I added the
FullyValidatable
constraint to the @system.mail@ config. But honestly, I'm not quite sure on which level this should be added (config level or core datatype level, or even/additionally in @mailer_dsn.options.x@). - 🇨🇭Switzerland znerol
Gist of a slack conversation with @penyaskito:
@znerol saw that, but still think hostname should re-use symfony validator instead of just validating no control characters. The stricter the better. And even if we don't, I'm pretty sure we will need to reuse the symfony constraints at some point.
Turned out that the
Hostname
validator isn't quite enough, since thehost
parameter also should accept IP addresses. I've investigated whether it would be possible to implement this using theAtLeastOneOf
and a combination ofHostname
andIp
. But that doesn't allow for IPv6 literals (enclosed in brackets).I guess it would be best to just introduce an
UriHost
constraint, which implements RFC 3986 section 3.2.2. - 🇨🇭Switzerland znerol
Added tests for the new
UriHost
constraint. Note thatfilter_var($value, \FILTER_VALIDATE_DOMAIN, \FILTER_FLAG_HOSTNAME)
accepts every valid IPv4, thus removed the explicit call tofilter_var($value, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV4)
. - 🇧🇪Belgium borisson_ Mechelen, 🇧🇪
I love the new test coverage here, this is really good. I had one remark on the type definition, but I'm not sure if that would be better.
- Status changed to Needs work
7 months ago 6:47pm 20 May 2024 The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
7 months ago 6:51pm 20 May 2024 - Status changed to Needs work
7 months ago 7:12pm 20 May 2024 The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
7 months ago 3:52pm 23 May 2024 - 🇨🇭Switzerland znerol
Now that 🐛 A revert has cause cspell to fail due to the word yarhar Active is fixed, this shouldn't fail the needs review queue bot anymore.
- Status changed to RTBC
7 months ago 6:43pm 31 May 2024 - 🇺🇸United States smustgrave
Ran test-only feature https://git.drupalcode.org/issue/drupal-3401255/-/jobs/1638536 which shows coverage.
Appears all feedback has been addressed
I reviewed the CR and detail is on point.
Believe this one to be good to go.
- 🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺
znerol → credited penyaskito → .
- 🇺🇸United States phenaproxima Massachusetts
znerol → credited phenaproxima → .
- 🇨🇭Switzerland znerol
Copied credits over from 📌 Add validation constraints to system.mail Needs work
- Status changed to Needs work
6 months ago 4:05pm 11 June 2024 The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
6 months ago 5:21pm 11 June 2024 - Status changed to RTBC
6 months ago 5:24pm 11 June 2024 - Status changed to Needs work
6 months ago 12:01pm 27 June 2024 - 🇬🇧United Kingdom alexpott 🇪🇺🌍
I think if we make password and user are now nullable I think we should consider whether we allow blanks. And if we don;t allow blanks then we might need a update path.
- Status changed to Needs review
6 months ago 3:49pm 27 June 2024 - 🇨🇭Switzerland znerol
I feel that the proposed changes do have some potential for breakage. Keep in mind that transports are pluggable. And there are some transports in the wild which are using HTTPS to talk directly to an API instead of SMTP.
I did encounter API keys in the past, which leveraged basic auth in weird ways. In one example the whole API key went into the user part, and the password part was supposed to be left blank. See this random bug report on python requests which is referring to that method.
For that reason, I'd prefer if we wouldn't add the
NotBlank
constraints, unless there are strong reasons for it. - Status changed to RTBC
6 months ago 8:53am 28 June 2024 -
alexpott →
committed 87bf1eef on 11.x
Issue #3401255 by znerol, smustgrave, borisson_, phenaproxima,...
-
alexpott →
committed 87bf1eef on 11.x
- Status changed to Fixed
6 months ago 9:01am 28 June 2024 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Very nice — I hadn't seen this while working on 📌 Add validation constraints to system.mail Needs work , but #17 is a good reason to not reuse Symfony's existing
Hostname
validation constraint 👍 Automatically closed - issue fixed for 2 weeks with no activity.