diff options
Diffstat (limited to '')
| -rw-r--r-- | Mailman/Utils.py | 11 | ||||
| -rw-r--r-- | NEWS | 3 |
2 files changed, 12 insertions, 2 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 7b2cf439..cd9faa41 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 1998-2007 by the Free Software Foundation, Inc. +# Copyright (C) 1998-2008 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -203,6 +203,9 @@ def LCDomain(addr): # TBD: what other characters should be disallowed? _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') +# characters in addition to _badchars which are not allowed in +# unquoted local parts. +_specials = re.compile(r'[:\\"]') def ValidateEmail(s): """Verify that an email address isn't grossly evil.""" @@ -212,11 +215,15 @@ def ValidateEmail(s): if _badchars.search(s) or s[0] == '-': raise Errors.MMHostileAddress, s user, domain_parts = ParseEmail(s) - # This means local, unqualified addresses, are no allowed + # This means local, unqualified addresses, are not allowed if not domain_parts: raise Errors.MMBadEmailError, s if len(domain_parts) < 2: raise Errors.MMBadEmailError, s + if not (user.startswith('"') and user.endswith('"')): + # local part is not quoted so it can't contain specials + if _specials.search(user): + raise Errors.MMBadEmailError, s @@ -20,6 +20,9 @@ Here is a history of user visible changes to Mailman. templates/xx to lists/xx if a list has the same name as a language code. Also fixed the absolute path to lists/ (1418670 ). + - Changed Utils.ValidateEmail to not allow specials (particularly ':') + in unquoted local parts (1956393). + 2.1.10 (21-Apr-2008) Security |