From 631ff88451779f868c4837c5d929bfd29303c418 Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Mon, 1 Aug 2022 14:05:23 -0700
Subject: [PATCH] RA: Reject emails that end with '#' (#6267)

The Fragment field of a parsed URL is only non-empty if there is
text following the octothorpe character. Check for the case that
the mailto: address ends in an octothorpe with no trailing value.

Fixes #6231
---
 ra/ra.go      | 2 +-
 ra/ra_test.go | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ra/ra.go b/ra/ra.go
index 3fe519dc0..82186b3d3 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -471,7 +471,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
 		if parsed.RawQuery != "" || contact[len(contact)-1] == '?' {
 			return berrors.InvalidEmailError("contact email %q contains a question mark", contact)
 		}
-		if parsed.Fragment != "" {
+		if parsed.Fragment != "" || contact[len(contact)-1] == '#' {
 			return berrors.InvalidEmailError("contact email %q contains a '#'", contact)
 		}
 		if !core.IsASCII(contact) {
diff --git a/ra/ra_test.go b/ra/ra_test.go
index 1a21a9791..a219acff9 100644
--- a/ra/ra_test.go
+++ b/ra/ra_test.go
@@ -419,6 +419,9 @@ func TestValidateContacts(t *testing.T) {
 	err = ra.validateContacts(context.Background(), []string{"mailto:example@a.com?"})
 	test.AssertError(t, err, "No hfields in email")
 
+	err = ra.validateContacts(context.Background(), []string{"mailto:example@a.com#"})
+	test.AssertError(t, err, "No fragment")
+
 	err = ra.validateContacts(context.Background(), []string{"mailto:example@a.com#optional"})
 	test.AssertError(t, err, "No fragment")