From a5cf72fd54db8261f0398e449d633247efbe40a2 Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Sun, 13 Nov 2011 16:47:19 -0800 Subject: Strengthened the validation of email addresses. --- Mailman/Utils.py | 11 +++-------- NEWS | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 041e8c3e..93e1fba1 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -212,10 +212,9 @@ def LCDomain(addr): # TBD: what other characters should be disallowed? -_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') -# characters in addition to _badchars which are not allowed in -# unquoted local parts. -_specials = re.compile(r'[:\\"]') +_badchars = re.compile(r'[][()<>|:;^,\\"\000-\037\177-\377]') +# Strictly speaking, some of the above are allowed in quoted local parts, but +# this can open the door to certain web exploits so we don't allow them. # Only characters allowed in domain parts. _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) @@ -232,10 +231,6 @@ def ValidateEmail(s): raise Errors.MMBadEmailError, s if len(domain_parts) < 2: raise Errors.MMBadEmailError, s - if not (user.startswith('"') and user.endswith('"')): - # local part is not quoted so it can't contain specials - if _specials.search(user): - raise Errors.MMBadEmailError, s # domain parts may only contain ascii letters, digits and hyphen for p in domain_parts: if len(_valid_domain.sub('', p)) > 0: diff --git a/NEWS b/NEWS index 37d9348a..c06f1cf2 100644 --- a/NEWS +++ b/NEWS @@ -8,7 +8,7 @@ Here is a history of user visible changes to Mailman. Security - - Strengthened the validation of email address domains. + - Strengthened the validation of email addresses. - An XSS vulnerability, CVE-2011-0707, has been fixed. -- cgit v1.2.3