Changed Utils.ValidateEmail to not allow specials (particularly ':')

in unquoted local parts (SF bug # 1956393).

2 files changed, 12 insertions, 2 deletions

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 7b2cf439..cd9faa41 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -203,6 +203,9 @@ def LCDomain(addr):
 
 # TBD: what other characters should be disallowed?
 _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
+# characters in addition to _badchars which are not allowed in
+# unquoted local parts.
+_specials = re.compile(r'[:\\"]')
 
 def ValidateEmail(s):
     """Verify that an email address isn't grossly evil."""
@@ -212,11 +215,15 @@ def ValidateEmail(s):
     if _badchars.search(s) or s[0] == '-':
         raise Errors.MMHostileAddress, s
     user, domain_parts = ParseEmail(s)
-    # This means local, unqualified addresses, are no allowed
+    # This means local, unqualified addresses, are not allowed
     if not domain_parts:
         raise Errors.MMBadEmailError, s
     if len(domain_parts) < 2:
         raise Errors.MMBadEmailError, s
+    if not (user.startswith('"') and user.endswith('"')):
+        # local part is not quoted so it can't contain specials
+        if _specials.search(user):
+            raise Errors.MMBadEmailError, s
 
 
 
diff --git a/NEWS b/NEWS
index 1e20e80e..912cfe4a 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ Here is a history of user visible changes to Mailman.
       templates/xx to lists/xx if a list has the same name as a language
       code.  Also fixed the absolute path to lists/ (1418670 ).
 
+    - Changed Utils.ValidateEmail to not allow specials (particularly ':')
+      in unquoted local parts (1956393).
+
 2.1.10 (21-Apr-2008)
 
   Security