diff options
| author | Mark Sapiro | 2016-07-17 01:27:09 +0000 |
|---|---|---|
| committer | GitLab | 2016-07-17 15:49:49 +0000 |
| commit | f0ec0cf2b5bb888414b5a2418fd1024cefad8817 (patch) | |
| tree | 6242e5184f3d94811defea246de6d458f2be69dd /src/mailman/email/validate.py | |
| parent | 2eae426742d02bfac617429d3d207d4b1ce98137 (diff) | |
| download | mailman-f0ec0cf2b5bb888414b5a2418fd1024cefad8817.tar.gz mailman-f0ec0cf2b5bb888414b5a2418fd1024cefad8817.tar.zst mailman-f0ec0cf2b5bb888414b5a2418fd1024cefad8817.zip | |
Diffstat (limited to 'src/mailman/email/validate.py')
| -rw-r--r-- | src/mailman/email/validate.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/mailman/email/validate.py b/src/mailman/email/validate.py index 5643d6057..1f5998d30 100644 --- a/src/mailman/email/validate.py +++ b/src/mailman/email/validate.py @@ -27,8 +27,11 @@ from zope.interface import implementer # What other characters should be disallowed? -_badchars = re.compile(r'[][()<>|;^,\000-\037\177-\377]') - +_badchars = re.compile(r'[][()<>|:;^,\\"\000-\037\177-\377]') +# Strictly speaking, some of the above are allowed in quoted local parts, but +# this can open the door to certain web exploits so we don't allow them. +_valid_domain = re.compile('[-a-z0-9]', re.IGNORECASE) +# These are the only characters allowed in domain parts. @public @implementer(IEmailValidator) @@ -39,7 +42,7 @@ class Validator: """See `IEmailValidator`.""" if not email or ' ' in email: return False - if _badchars.search(email) or email[0] == '-': + if _badchars.search(email): return False user, domain_parts = split_email(email) # Local, unqualified addresses are not allowed. @@ -47,6 +50,9 @@ class Validator: return False if len(domain_parts) < 2: return False + for p in domain_parts: + if len(p) == 0 or p[0] == '-' or len(_valid_domain.sub('', p)) > 0: + return False return True def validate(self, email): |