aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <msapiro@value.net>2011-09-15 17:21:55 -0700
committerMark Sapiro <msapiro@value.net>2011-09-15 17:21:55 -0700
commit6f19d6a0134aba24cc903cf4731211e0b9cb6787 (patch)
tree0af4142f621dbab1d539f969e59feffec5e8fa3d
parent6a4a76c44bb5a86870bf5152e13779397564cdc4 (diff)
downloadmailman2-6f19d6a0134aba24cc903cf4731211e0b9cb6787.tar.gz
mailman2-6f19d6a0134aba24cc903cf4731211e0b9cb6787.tar.xz
mailman2-6f19d6a0134aba24cc903cf4731211e0b9cb6787.zip
Strengthened the validation of email address domains.
-rw-r--r--Mailman/Utils.py6
-rw-r--r--NEWS2
2 files changed, 8 insertions, 0 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index c93df81f..041e8c3e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -216,6 +216,8 @@ _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
# characters in addition to _badchars which are not allowed in
# unquoted local parts.
_specials = re.compile(r'[:\\"]')
+# Only characters allowed in domain parts.
+_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
def ValidateEmail(s):
"""Verify that an email address isn't grossly evil."""
@@ -234,6 +236,10 @@ def ValidateEmail(s):
# local part is not quoted so it can't contain specials
if _specials.search(user):
raise Errors.MMBadEmailError, s
+ # domain parts may only contain ascii letters, digits and hyphen
+ for p in domain_parts:
+ if len(_valid_domain.sub('', p)) > 0:
+ raise Errors.MMHostileAddress, s
diff --git a/NEWS b/NEWS
index e4ec8ba9..48f7f907 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ Here is a history of user visible changes to Mailman.
Security
+ - Strengthened the validation of email address domains.
+
- An XSS vulnerability, CVE-2011-0707, has been fixed.
New Features