Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #1139 -- Changed django.core.mail to raise BadHeaderError (a su…

…bclass of ValueError) and changed docs/email.txt example to use that

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1798 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 528b4ebd8dba246525859f7a5882f61614b88343 1 parent 8b5c219
@adrianholovaty adrianholovaty authored
Showing with 13 additions and 9 deletions.
  1. +4 −1 django/core/mail.py
  2. +9 −8 docs/email.txt
View
5 django/core/mail.py
@@ -4,11 +4,14 @@
from email.MIMEText import MIMEText
import smtplib
+class BadHeaderError(ValueError):
+ pass
+
class SafeMIMEText(MIMEText):
def __setitem__(self, name, val):
"Forbids multi-line headers, to prevent header injection."
if '\n' in val or '\r' in val:
- raise ValueError, "Header values can't contain newlines (got %r for header %r)" % (val, name)
+ raise BadHeaderError, "Header values can't contain newlines (got %r for header %r)" % (val, name)
MIMEText.__setitem__(self, name, val)
def send_mail(subject, message, from_email, recipient_list, fail_silently=False):
View
17 docs/email.txt
@@ -127,24 +127,25 @@ scripts generate.
The Django e-mail functions outlined above all protect against header injection
by forbidding newlines in header values. If any ``subject``, ``from_email`` or
``recipient_list`` contains a newline, the e-mail function (e.g.
-``send_mail()``) will raise ``ValueError`` and, hence, will not send the
-e-mail. It's your responsibility to validate all data before passing it to the
-e-mail functions.
+``send_mail()``) will raise ``django.core.mail.BadHeaderError`` (a subclass of
+``ValueError``) and, hence, will not send the e-mail. It's your responsibility
+to validate all data before passing it to the e-mail functions.
Here's an example view that takes a ``subject``, ``message`` and ``from_email``
from the request's POST data, sends that to admin@example.com and redirects to
"/contact/thanks/" when it's done::
- from django.core.mail import send_mail
+ from django.core.mail import send_mail, BadHeaderError
def send_email(request):
subject = request.POST.get('subject', '')
message = request.POST.get('message', '')
from_email = request.POST.get('from_email', '')
- if subject and message and from_email \
- and '\n' not in subject and '\n' not in message
- and '\n' not in from_email:
- send_mail(subject, message, from_email, ['admin@example.com'])
+ if subject and message and from_email:
+ try:
+ send_mail(subject, message, from_email, ['admin@example.com'])
+ except BadHeaderError:
+ return HttpResponse('Invalid header found.')
return HttpResponseRedirect('/contact/thanks/')
else:
# In reality we'd use a manipulator
Please sign in to comment.
Something went wrong with that request. Please try again.