diff options
author | Mark Sapiro <msapiro@value.net> | 2011-09-15 17:21:55 -0700 |
---|---|---|
committer | Mark Sapiro <msapiro@value.net> | 2011-09-15 17:21:55 -0700 |
commit | 6f19d6a0134aba24cc903cf4731211e0b9cb6787 (patch) | |
tree | 0af4142f621dbab1d539f969e59feffec5e8fa3d | |
parent | 6a4a76c44bb5a86870bf5152e13779397564cdc4 (diff) | |
download | mailman2-6f19d6a0134aba24cc903cf4731211e0b9cb6787.tar.gz mailman2-6f19d6a0134aba24cc903cf4731211e0b9cb6787.tar.xz mailman2-6f19d6a0134aba24cc903cf4731211e0b9cb6787.zip |
Strengthened the validation of email address domains.
-rw-r--r-- | Mailman/Utils.py | 6 | ||||
-rw-r--r-- | NEWS | 2 |
2 files changed, 8 insertions, 0 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index c93df81f..041e8c3e 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -216,6 +216,8 @@ _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') # characters in addition to _badchars which are not allowed in # unquoted local parts. _specials = re.compile(r'[:\\"]') +# Only characters allowed in domain parts. +_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) def ValidateEmail(s): """Verify that an email address isn't grossly evil.""" @@ -234,6 +236,10 @@ def ValidateEmail(s): # local part is not quoted so it can't contain specials if _specials.search(user): raise Errors.MMBadEmailError, s + # domain parts may only contain ascii letters, digits and hyphen + for p in domain_parts: + if len(_valid_domain.sub('', p)) > 0: + raise Errors.MMHostileAddress, s @@ -8,6 +8,8 @@ Here is a history of user visible changes to Mailman. Security + - Strengthened the validation of email address domains. + - An XSS vulnerability, CVE-2011-0707, has been fixed. New Features |