Strengthened the validation of email address domains.

2 files changed, 8 insertions, 0 deletions

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index c93df81f..041e8c3e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -216,6 +216,8 @@ _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
 # characters in addition to _badchars which are not allowed in
 # unquoted local parts.
 _specials = re.compile(r'[:\\"]')
+# Only characters allowed in domain parts.
+_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
 
 def ValidateEmail(s):
     """Verify that an email address isn't grossly evil."""
@@ -234,6 +236,10 @@ def ValidateEmail(s):
         # local part is not quoted so it can't contain specials
         if _specials.search(user):
             raise Errors.MMBadEmailError, s
+    # domain parts may only contain ascii letters, digits and hyphen
+    for p in domain_parts:
+        if len(_valid_domain.sub('', p)) > 0:
+            raise Errors.MMHostileAddress, s
 
 
 
diff --git a/NEWS b/NEWS
index e4ec8ba9..48f7f907 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ Here is a history of user visible changes to Mailman.
 
   Security
 
+    - Strengthened the validation of email address domains.
+
     - An XSS vulnerability, CVE-2011-0707, has been fixed.
 
   New Features