aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <msapiro@value.net>2011-11-13 16:47:19 -0800
committerMark Sapiro <msapiro@value.net>2011-11-13 16:47:19 -0800
commita5cf72fd54db8261f0398e449d633247efbe40a2 (patch)
tree7353c52f492cb9a3d53ab1ac87ea440deab698cf
parent727b7288718ad81c658517d08338c07a22dd1793 (diff)
downloadmailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.tar.gz
mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.tar.xz
mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.zip
Strengthened the validation of email addresses.
-rw-r--r--Mailman/Utils.py11
-rw-r--r--NEWS2
2 files changed, 4 insertions, 9 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 041e8c3e..93e1fba1 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -212,10 +212,9 @@ def LCDomain(addr):
# TBD: what other characters should be disallowed?
-_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
-# characters in addition to _badchars which are not allowed in
-# unquoted local parts.
-_specials = re.compile(r'[:\\"]')
+_badchars = re.compile(r'[][()<>|:;^,\\"\000-\037\177-\377]')
+# Strictly speaking, some of the above are allowed in quoted local parts, but
+# this can open the door to certain web exploits so we don't allow them.
# Only characters allowed in domain parts.
_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
@@ -232,10 +231,6 @@ def ValidateEmail(s):
raise Errors.MMBadEmailError, s
if len(domain_parts) < 2:
raise Errors.MMBadEmailError, s
- if not (user.startswith('"') and user.endswith('"')):
- # local part is not quoted so it can't contain specials
- if _specials.search(user):
- raise Errors.MMBadEmailError, s
# domain parts may only contain ascii letters, digits and hyphen
for p in domain_parts:
if len(_valid_domain.sub('', p)) > 0:
diff --git a/NEWS b/NEWS
index 37d9348a..c06f1cf2 100644
--- a/NEWS
+++ b/NEWS
@@ -8,7 +8,7 @@ Here is a history of user visible changes to Mailman.
Security
- - Strengthened the validation of email address domains.
+ - Strengthened the validation of email addresses.
- An XSS vulnerability, CVE-2011-0707, has been fixed.