From acca1a3aae7c167aed83059340e3ce3c8c09ad3c Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Wed, 7 May 2008 20:46:19 -0700
Subject: Changed Utils.ValidateEmail to not allow specials (particularly ':')
 in unquoted local parts (SF bug # 1956393).

---
 Mailman/Utils.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 7b2cf439..cd9faa41 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -203,6 +203,9 @@ def LCDomain(addr):
 
 # TBD: what other characters should be disallowed?
 _badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
+# characters in addition to _badchars which are not allowed in
+# unquoted local parts.
+_specials = re.compile(r'[:\\"]')
 
 def ValidateEmail(s):
     """Verify that an email address isn't grossly evil."""
@@ -212,11 +215,15 @@ def ValidateEmail(s):
     if _badchars.search(s) or s[0] == '-':
         raise Errors.MMHostileAddress, s
     user, domain_parts = ParseEmail(s)
-    # This means local, unqualified addresses, are no allowed
+    # This means local, unqualified addresses, are not allowed
     if not domain_parts:
         raise Errors.MMBadEmailError, s
     if len(domain_parts) < 2:
         raise Errors.MMBadEmailError, s
+    if not (user.startswith('"') and user.endswith('"')):
+        # local part is not quoted so it can't contain specials
+        if _specials.search(user):
+            raise Errors.MMBadEmailError, s
 
 
 
-- 
cgit v1.2.3