diff options
author | Mark Sapiro <msapiro@value.net> | 2011-11-13 16:47:19 -0800 |
---|---|---|
committer | Mark Sapiro <msapiro@value.net> | 2011-11-13 16:47:19 -0800 |
commit | a5cf72fd54db8261f0398e449d633247efbe40a2 (patch) | |
tree | 7353c52f492cb9a3d53ab1ac87ea440deab698cf | |
parent | 727b7288718ad81c658517d08338c07a22dd1793 (diff) | |
download | mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.tar.gz mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.tar.xz mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.zip |
Strengthened the validation of email addresses.
-rw-r--r-- | Mailman/Utils.py | 11 | ||||
-rw-r--r-- | NEWS | 2 |
2 files changed, 4 insertions, 9 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 041e8c3e..93e1fba1 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -212,10 +212,9 @@ def LCDomain(addr): # TBD: what other characters should be disallowed? -_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') -# characters in addition to _badchars which are not allowed in -# unquoted local parts. -_specials = re.compile(r'[:\\"]') +_badchars = re.compile(r'[][()<>|:;^,\\"\000-\037\177-\377]') +# Strictly speaking, some of the above are allowed in quoted local parts, but +# this can open the door to certain web exploits so we don't allow them. # Only characters allowed in domain parts. _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) @@ -232,10 +231,6 @@ def ValidateEmail(s): raise Errors.MMBadEmailError, s if len(domain_parts) < 2: raise Errors.MMBadEmailError, s - if not (user.startswith('"') and user.endswith('"')): - # local part is not quoted so it can't contain specials - if _specials.search(user): - raise Errors.MMBadEmailError, s # domain parts may only contain ascii letters, digits and hyphen for p in domain_parts: if len(_valid_domain.sub('', p)) > 0: @@ -8,7 +8,7 @@ Here is a history of user visible changes to Mailman. Security - - Strengthened the validation of email address domains. + - Strengthened the validation of email addresses. - An XSS vulnerability, CVE-2011-0707, has been fixed. |