#32008: django.core.mail.message.sanitize_address can add newlines in a header that django.core.mail.EmailMessage will refuse ------------------------------------------------+------------------------ Reporter: Pierre-Elliott Bécue | Owner: nobody Type: Bug | Status: new Component: Core (Mail) | Version: 2.2 Severity: Normal | Keywords: mail Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------------+------------------------ Hi,
We've come accross a situation with django 2.2 where, while sanitazing a user address to send a mail in his name, the sanitize_address function, which relies on python's email.header.Header will introduce a newline character in the from header, and therefore, the mail won't get send because django's security features include refusing emails with newlines in headers. It seems to me that no recent version of django addresses this issue. A simple solution would be to have sanitize_address take a maxlinelen parameter passed to Header. A more complex solution would be to see if the newline is followed by spaces or tabulations, in which case it doesn't seem to pose a security risk as it can't lead to an embedded header. If you need more input I can give som. -- Ticket URL: <https://code.djangoproject.com/ticket/32008> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/046.763d1838c60840fdf26e9aec74ffbf2b%40djangoproject.com.