Permalink
Browse files

emails: Foil some basic header injections.

Thanks to "Jordan Milne (/u/largenocream) for this suggestion.
  • Loading branch information...
1 parent d59c209 commit 2a285f8f6aa33f1d8227d052b86c98da95162103 @chromakode chromakode committed Feb 28, 2014
Showing with 12 additions and 3 deletions.
  1. +12 −3 r2/r2/models/mail_queue.py
@@ -23,6 +23,7 @@
import datetime
import hashlib
from email.MIMEText import MIMEText
+from email.errors import HeaderParseError
import sqlalchemy as sa
from sqlalchemy.dialects.postgresql.base import PGInet
@@ -397,11 +398,19 @@ def set_sent(self, date = None, rejected = False):
self.sent = True
def to_MIMEText(self):
- def utf8(s):
+ def utf8(s, reject_newlines=True):
+ if reject_newlines and '\n' in s:
+ raise HeaderParseError(
+ 'header value contains unexpected newline: {!r}'.format(s))
return s.encode('utf8') if isinstance(s, unicode) else s
- fr = '"%s" <%s>' % (self.from_name(), self.fr_addr)
+
+ fr = '"%s" <%s>' % (
+ self.from_name().replace('"', ''),
+ self.fr_addr.replace('>', ''),
+ )
+
if not fr.startswith('-') and not self.to_addr.startswith('-'): # security
- msg = MIMEText(utf8(self.body))
+ msg = MIMEText(utf8(self.body, reject_newlines=False))
msg.set_charset('utf8')
msg['To'] = utf8(self.to_addr)
msg['From'] = utf8(fr)

0 comments on commit 2a285f8

Please sign in to comment.