From 6f19d6a0134aba24cc903cf4731211e0b9cb6787 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <msapiro@value.net>
Date: Thu, 15 Sep 2011 17:21:55 -0700
Subject: Strengthened the validation of email address domains.

---
 Mailman/Utils.py | 6 ++++++
 NEWS             | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index c93df81f..041e8c3e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -216,6 +216,8 @@ _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
 # characters in addition to _badchars which are not allowed in
 # unquoted local parts.
 _specials = re.compile(r'[:\\"]')
+# Only characters allowed in domain parts.
+_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
 
 def ValidateEmail(s):
     """Verify that an email address isn't grossly evil."""
@@ -234,6 +236,10 @@ def ValidateEmail(s):
         # local part is not quoted so it can't contain specials
         if _specials.search(user):
             raise Errors.MMBadEmailError, s
+    # domain parts may only contain ascii letters, digits and hyphen
+    for p in domain_parts:
+        if len(_valid_domain.sub('', p)) > 0:
+            raise Errors.MMHostileAddress, s
 
 
 
diff --git a/NEWS b/NEWS
index e4ec8ba9..48f7f907 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ Here is a history of user visible changes to Mailman.
 
   Security
 
+    - Strengthened the validation of email address domains.
+
     - An XSS vulnerability, CVE-2011-0707, has been fixed.
 
   New Features
-- 
cgit v1.2.3