#32008: django.core.mail.message.sanitize_address can add newlines in a header
that
django.core.mail.EmailMessage will refuse
------------------------------------------------+------------------------
Reporter: Pierre-Elliott Bécue | Owner: nobody
Type: Bug | Status: new
Component: Core (Mail) | Version: 2.2
Severity: Normal | Keywords: mail
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Hi,
We've come accross a situation with django 2.2 where, while sanitazing a
user address to send a mail in his name, the sanitize_address function,
which relies on python's email.header.Header will introduce a newline
character in the from header, and therefore, the mail won't get send
because django's security features include refusing emails with newlines
in headers. It seems to me that no recent version of django addresses this
issue.
A simple solution would be to have sanitize_address take a maxlinelen
parameter passed to Header. A more complex solution would be to see if the
newline is followed by spaces or tabulations, in which case it doesn't
seem to pose a security risk as it can't lead to an embedded header.
If you need more input I can give som.
--
Ticket URL: <https://code.djangoproject.com/ticket/32008>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/046.763d1838c60840fdf26e9aec74ffbf2b%40djangoproject.com.
