From 717acb8efeb3b644365ce2bceb25c36a5ef7ecc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yannik=20R=C3=B6del?= <hey@yannik.info>
Date: Thu, 4 Apr 2024 17:47:55 +0200
Subject: [PATCH] Validate Email regex before submitting forms

---
 cgi-bin/form.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cgi-bin/form.py b/cgi-bin/form.py
index 8087cc0..5ca8b69 100755
--- a/cgi-bin/form.py
+++ b/cgi-bin/form.py
@@ -34,6 +34,9 @@ except IOError:
 
 
 HONEYPOT_FIELD_NAME = "addressline1"
+# This regex merely validates what the in-browser form validation already checks and
+# isn't all too strict.
+EMAIL_REGEX = re.compile(r"^[^ ]+@[^ ]+\.[^ ]+$")
 
 SITE_DIRECTORY = os.environ.get("SITE_DIRECTORY", "")
 request_uri = os.environ.get("REQUEST_URI", "").lower().rstrip("/")
@@ -183,7 +186,11 @@ if not isinstance(hcaptcha_data, Mapping) or not hcaptcha_data.get("success", Fa
 # Extract all the actually provided form data. This is different from form to
 # form (see the match block below).
 contact_name = get_form_value("contactname")
+
 contact_email = get_form_value("contactemail")
+if not EMAIL_REGEX.fullmatch(contact_email):
+	fail("400 Bad Request", "Invalid Email address")
+
 message = get_form_value("message", "[Keine Nachricht hinterlassen]")
 attachment: Optional[tuple[str, bytes]] = None