You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Indico does not validate the email addresses on the server side, before sending out a verification email, leading to local mail delivery in some cases.
This is a problem when spam bots come by, looking for xss.
To Reproduce
Go to '/register/'
Input msgbox("foo");window.alert('bar');
Disable form validation by changing type=email to type=text
Then click 'Send me a verification email'
Check the local delivery mailboxes for foo <msgbox@SERVER ;> and bar <window.alert@SERVER ;>
Expected behavior
Indico should not send verification mails to local mailboxes, and should check the email serverside.
At least check if the mail contains a @.
Other examples are mails sendt to the support users about not being able to send the verification mails:
2019-11-17 02:55:02,560 0000000000000000 indico.emails - ERROR emails.py:52 -- Could not send email "[Indico] Verify your email" (attempt 10/10); giving up [{u'!--#execcmd="dir"--': (501, '5.1.3 Bad recipient address syntax')}]; stored data in /opt/indico/tmp/failed-email-2019-11-17-wqpBY0
2019-11-17 02:38:16,055 0000000000000000 indico.emails - ERROR emails.py:52 -- Could not send email "[Indico] Verify your email" (attempt 10/10); giving up [Header values can't contain newlines (got u'<script\n>alert(110);</script\n>' for header u'To')]; stored data in /opt/indico/tmp/failed-email-2019-11-17-LJp7Vk
The text was updated successfully, but these errors were encountered:
The general consensus on email validation is that one should just try sending an email instead of trying to do any in-depth validation. However, you are correct that the "simple" email validator (which would cover something as obviously-wrong as your test input) is missing on those fields. So we'll fix that in the next version.
Describe the bug
Indico does not validate the email addresses on the server side, before sending out a verification email, leading to local mail delivery in some cases.
This is a problem when spam bots come by, looking for xss.
To Reproduce
msgbox("foo");window.alert('bar');
foo <msgbox@SERVER ;>
andbar <window.alert@SERVER ;>
Expected behavior
Indico should not send verification mails to local mailboxes, and should check the email serverside.
At least check if the mail contains a @.
Other examples are mails sendt to the support users about not being able to send the verification mails:
The text was updated successfully, but these errors were encountered: