------------------------------------------------------------
revno: 1312
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Thu 2011-09-15 17:21:55 -0700
message:
Strengthened the validation of email address domains.
modified:
Mailman/Utils.py
NEWS
--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1
Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2011-05-01 16:21:29 +0000
+++ Mailman/Utils.py 2011-09-16 00:21:55 +0000
@@ -216,6 +216,8 @@
# characters in addition to _badchars which are not allowed in
# unquoted local parts.
_specials = re.compile(r'[:\\"]')
+# Only characters allowed in domain parts.
+_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
def ValidateEmail(s):
"""Verify that an email address isn't grossly evil."""
@@ -234,6 +236,10 @@
# local part is not quoted so it can't contain specials
if _specials.search(user):
raise Errors.MMBadEmailError, s
+ # domain parts may only contain ascii letters, digits and hyphen
+ for p in domain_parts:
+ if len(_valid_domain.sub('', p)) > 0:
+ raise Errors.MMHostileAddress, s
�
=== modified file 'NEWS'
--- NEWS 2011-09-16 00:13:03 +0000
+++ NEWS 2011-09-16 00:21:55 +0000
@@ -8,6 +8,8 @@
Security
+ - Strengthened the validation of email address domains.
+
- An XSS vulnerability, CVE-2011-0707, has been fixed.
New Features
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
