diff options
| author | Mark Sapiro <msapiro@value.net> | 2011-11-13 16:47:19 -0800 |
|---|---|---|
| committer | Mark Sapiro <msapiro@value.net> | 2011-11-13 16:47:19 -0800 |
| commit | a5cf72fd54db8261f0398e449d633247efbe40a2 (patch) | |
| tree | 7353c52f492cb9a3d53ab1ac87ea440deab698cf /Mailman/Utils.py | |
| parent | 727b7288718ad81c658517d08338c07a22dd1793 (diff) | |
| download | mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.tar.gz mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.tar.xz mailman2-a5cf72fd54db8261f0398e449d633247efbe40a2.zip | |
Strengthened the validation of email addresses.
Diffstat (limited to 'Mailman/Utils.py')
| -rw-r--r-- | Mailman/Utils.py | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 041e8c3e..93e1fba1 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -212,10 +212,9 @@ def LCDomain(addr): # TBD: what other characters should be disallowed? -_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') -# characters in addition to _badchars which are not allowed in -# unquoted local parts. -_specials = re.compile(r'[:\\"]') +_badchars = re.compile(r'[][()<>|:;^,\\"\000-\037\177-\377]') +# Strictly speaking, some of the above are allowed in quoted local parts, but +# this can open the door to certain web exploits so we don't allow them. # Only characters allowed in domain parts. _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) @@ -232,10 +231,6 @@ def ValidateEmail(s): raise Errors.MMBadEmailError, s if len(domain_parts) < 2: raise Errors.MMBadEmailError, s - if not (user.startswith('"') and user.endswith('"')): - # local part is not quoted so it can't contain specials - if _specials.search(user): - raise Errors.MMBadEmailError, s # domain parts may only contain ascii letters, digits and hyphen for p in domain_parts: if len(_valid_domain.sub('', p)) > 0: |