
Bug in French government’s WhatsApp replacement let anyone join Élysée chats - dagenix
https://arstechnica.com/information-technology/2019/04/french-governments-secure-chat-app-left-door-open-to-outsiders/
======
dagenix
I'm not a big fan of Postel's law / the Robustness Principle [1] and this is a
great example why. Given the email address
"anaddress@protonmail.com@presidence@elysee.fr", one piece of code parsed it
as "presidence@elysee.fr" and another as "anaddress@protonmail.com". Had
either piece of code just rejected it, it sounds like the bug wouldn't have
existed.

(Interestingly, validating email addresses is super, super hard and generally
not worth it. The one check that does seem to generally make sense is to
validate that there is a single "@" in the email address with other characters
to both sides - which would have worked great for this case)

[1] -
[https://en.wikipedia.org/wiki/Robustness_principle](https://en.wikipedia.org/wiki/Robustness_principle)

