Improve the error message for IDNA domains being too long by handling the length check ourselves rather than in idna.encode

JoshData · JoshData · commit c23c0d66cbf4 · 2024-06-19T12:02:49.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@ In Development
 
 * Email addresses with internationalized local parts could, with rare Unicode characters, be returned as valid but actually be invalid in their normalized form (returned in the `normalized` field). Local parts now re-validated after Unicode NFC normalization to ensure that invalid characters cannot be injected into the normalized address and that characters with length-increasing NFC normalizations cannot cause a local part to exceed the maximum length after normalization.
 * The length check for email addresses with internationalized local parts is now also applied to the original address string prior to Unicode NFC normalization, which may be longer and could exceed the maximum email address length, to protect callers who do not use the returned normalized address.
+* Improved error message for IDNA domains that are too long.
 * A new option to parse `My Name <address@domain>` strings, i.e. a display name plus an email address in angle brackets, is now available. It is off by default.
 
 2.1.2 (June 16, 2024)
diff --git a/email_validator/syntax.py b/email_validator/syntax.py
@@ -469,6 +469,7 @@ def validate_email_domain_name(domain: str, test_environment: bool = False, glob
     # such as "⒈" which is invalid because it would expand to include a dot.
     # Since several characters are normalized to a dot, this has to come before
     # checks related to dots, like check_dot_atom which comes next.
+    original_domain = domain
     try:
         domain = idna.uts46_remap(domain, std3_rules=False, transitional=False)
     except idna.IDNAError as e:
@@ -498,29 +499,22 @@ def validate_email_domain_name(domain: str, test_environment: bool = False, glob
         # the MTA must either support SMTPUTF8 or the mail client must convert the
         # domain name to IDNA before submission.
         #
-        # Unfortunately this step incorrectly 'fixes' domain names with leading
-        # periods by removing them, so we have to check for this above. It also gives
-        # a funky error message ("No input") when there are two periods in a
-        # row, also checked separately above.
-        #
         # For ASCII-only domains, the transformation does nothing and is safe to
         # apply. However, to ensure we don't rely on the idna library for basic
         # syntax checks, we don't use it if it's not needed.
         #
-        # uts46 is off here because it is handled above.
+        # idna.encode also checks the domain name length after encoding but it
+        # doesn't give a nice error, so we call the underlying idna.alabel method
+        # directly. idna.alabel checks label length and doesn't give great messages,
+        # but we can't easily go to lower level methods.
         try:
-            ascii_domain = idna.encode(domain, uts46=False).decode("ascii")
+            ascii_domain = ".".join(
+                idna.alabel(label).decode("ascii")
+                for label in domain.split(".")
+            )
         except idna.IDNAError as e:
-            if "Domain too long" in str(e):
-                # We can't really be more specific because UTS-46 normalization means
-                # the length check is applied to a string that is different from the
-                # one the user supplied. Also I'm not sure if the length check applies
-                # to the internationalized form, the IDNA ASCII form, or even both!
-                raise EmailSyntaxError("The email address is too long after the @-sign.") from e
-
-            # Other errors seem to not be possible because the call to idna.uts46_remap
-            # would have already raised them.
-            raise EmailSyntaxError(f"The part after the @-sign contains invalid characters ({e}).") from e
+            # Some errors would have already been raised by idna.uts46_remap.
+            raise EmailSyntaxError(f"The part after the @-sign is invalid ({e}).") from e
 
         # Check the syntax of the string returned by idna.encode.
         # It should never fail.
@@ -535,8 +529,13 @@ def validate_email_domain_name(domain: str, test_environment: bool = False, glob
     # as IDNA ASCII. (This is also checked by idna.encode, so this exception
     # is never reached for internationalized domains.)
     if len(ascii_domain) > DOMAIN_MAX_LENGTH:
-        reason = get_length_reason(ascii_domain, limit=DOMAIN_MAX_LENGTH)
-        raise EmailSyntaxError(f"The email address is too long after the @-sign {reason}.")
+        if ascii_domain == original_domain:
+            reason = get_length_reason(ascii_domain, limit=DOMAIN_MAX_LENGTH)
+            raise EmailSyntaxError(f"The email address is too long after the @-sign {reason}.")
+        else:
+            diff = len(ascii_domain) - DOMAIN_MAX_LENGTH
+            s = "" if diff == 1 else "s"
+            raise EmailSyntaxError(f"The email address is too long after the @-sign ({diff} byte{s} too many after IDNA encoding).")
 
     # Also check the label length limit.
     # (RFC 1035 2.3.1)
diff --git a/tests/test_syntax.py b/tests/test_syntax.py
@@ -406,10 +406,11 @@ def test_domain_literal() -> None:
         ('111111111122222222223333333333444444444455555555556666666666777777@example.com', 'The email address is too long before the @-sign (2 characters too many).'),
         ('\uFB2C111111122222222223333333333444444444455555555556666666666777777@example.com', 'After Unicode normalization: The email address is too long before the @-sign (2 characters too many).'),
         ('me@1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.11111111112222222222333333333344444444445555555555.com', 'The email address is too long after the @-sign (1 character too many).'),
-        ('me@中1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444.com', 'The email address is too long after the @-sign.'),
+        ('me@中1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444.com', 'The email address is too long after the @-sign (1 byte too many after IDNA encoding).'),
+        ('me@\uFB2C1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444.com', 'The email address is too long after the @-sign (5 bytes too many after IDNA encoding).'),
         ('me@1111111111222222222233333333334444444444555555555666666666677777.com', 'After the @-sign, periods cannot be separated by so many characters (1 character too many).'),
         ('me@11111111112222222222333333333344444444445555555556666666666777777.com', 'After the @-sign, periods cannot be separated by so many characters (2 characters too many).'),
-        ('me@中111111111222222222233333333334444444444555555555666666.com', 'The part after the @-sign contains invalid characters (Label too long).'),
+        ('me@中111111111222222222233333333334444444444555555555666666.com', 'The part after the @-sign is invalid (Label too long).'),
         ('meme@1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.com', 'The email address is too long (4 characters too many).'),
         ('my.long.address@1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.11111111112222222222333333333344444.info', 'The email address is too long (2 characters too many).'),
         ('my.long.address@λ111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444444444555555555.6666666666777777777788888888889999999999000000000.1111111111222222222233333333334444.info', 'The email address is too long (1-2 characters too many).'),
