Protecting against gmail dot trick in Discourse

I reverted my change here and instead introduced this new awesome default.

https://github.com/discourse/discourse/commit/cbceadf48b60b29fb710586e2b03bde4c5fe0883

This means that if evil.person+77@gmail.com gets blocked we will go ahead and block evilperson@gmail.com instead.

Then when e.v.i.l.person@gmail.com tries to sneak in they will be blocked due to canonical matching.

This entirely solves the OP here, and is a very clean and safe change all Discourse instances can benefit from.

Going to close this off as complete in a week.

13 Likes