[Mailman-checkins] [Branch ~mailman-coders/mailman/2.2] Rev 1195: Strengthened the validation of email addresses.

Mon, 14 Nov 2011 21:45:23 -0800 

------------------------------------------------------------
revno: 1195
committer: Mark Sapiro <msap...@value.net>
branch nick: 2.2
timestamp: Sun 2011-11-13 16:50:34 -0800
message:
  Strengthened the validation of email addresses.
modified:
  Mailman/Utils.py
  NEWS


--
lp:mailman/2.2
https://code.launchpad.net/~mailman-coders/mailman/2.2

Your team Mailman Checkins is subscribed to branch lp:mailman/2.2.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.2/+edit-subscription

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2011-09-16 00:22:52 +0000
+++ Mailman/Utils.py	2011-11-14 00:50:34 +0000
@@ -213,10 +213,9 @@
 
 
 # TBD: what other characters should be disallowed?
-_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]')
-# characters in addition to _badchars which are not allowed in
-# unquoted local parts.
-_specials = re.compile(r'[:\\"]')
+_badchars = re.compile(r'[][()<>|:;^,\\"\000-\037\177-\377]')
+# Strictly speaking, some of the above are allowed in quoted local parts, but
+# this can open the door to certain web exploits so we don't allow them.
 # Only characters allowed in domain parts.
 _valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE)
 
@@ -233,10 +232,6 @@
         raise Errors.MMBadEmailError, s
     if len(domain_parts) < 2:
         raise Errors.MMBadEmailError, s
-    if not (user.startswith('"') and user.endswith('"')):
-        # local part is not quoted so it can't contain specials
-        if _specials.search(user):
-            raise Errors.MMBadEmailError, s
     # domain parts may only contain ascii letters, digits and hyphen
     for p in domain_parts:
         if len(_valid_domain.sub('', p)) > 0:

=== modified file 'NEWS'
--- NEWS	2011-11-13 21:36:56 +0000
+++ NEWS	2011-11-14 00:50:34 +0000
@@ -64,7 +64,7 @@
 
   Security
 
-    - Strengthened the validation of email address domains.
+    - Strengthened the validation of email addresses.
 
     - An XSS vulnerability, CVE-2011-0707, has been fixed.
 


_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to