mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Fixed #1139 -- Changed django.core.mail to raise BadHeaderError (a subclass of ValueError) and changed docs/email.txt example to use that
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1798 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -4,11 +4,14 @@ from django.conf.settings import DEFAULT_FROM_EMAIL, EMAIL_HOST, EMAIL_SUBJECT_P | |||||||
| from email.MIMEText import MIMEText | from email.MIMEText import MIMEText | ||||||
| import smtplib | import smtplib | ||||||
|  |  | ||||||
|  | class BadHeaderError(ValueError): | ||||||
|  |     pass | ||||||
|  |  | ||||||
| class SafeMIMEText(MIMEText): | class SafeMIMEText(MIMEText): | ||||||
|     def __setitem__(self, name, val): |     def __setitem__(self, name, val): | ||||||
|         "Forbids multi-line headers, to prevent header injection." |         "Forbids multi-line headers, to prevent header injection." | ||||||
|         if '\n' in val or '\r' in val: |         if '\n' in val or '\r' in val: | ||||||
|             raise ValueError, "Header values can't contain newlines (got %r for header %r)" % (val, name) |             raise BadHeaderError, "Header values can't contain newlines (got %r for header %r)" % (val, name) | ||||||
|         MIMEText.__setitem__(self, name, val) |         MIMEText.__setitem__(self, name, val) | ||||||
|  |  | ||||||
| def send_mail(subject, message, from_email, recipient_list, fail_silently=False): | def send_mail(subject, message, from_email, recipient_list, fail_silently=False): | ||||||
|   | |||||||
| @@ -127,24 +127,25 @@ scripts generate. | |||||||
| The Django e-mail functions outlined above all protect against header injection | The Django e-mail functions outlined above all protect against header injection | ||||||
| by forbidding newlines in header values. If any ``subject``, ``from_email`` or | by forbidding newlines in header values. If any ``subject``, ``from_email`` or | ||||||
| ``recipient_list`` contains a newline, the e-mail function (e.g. | ``recipient_list`` contains a newline, the e-mail function (e.g. | ||||||
| ``send_mail()``) will raise ``ValueError`` and, hence, will not send the | ``send_mail()``) will raise ``django.core.mail.BadHeaderError`` (a subclass of | ||||||
| e-mail. It's your responsibility to validate all data before passing it to the | ``ValueError``) and, hence, will not send the e-mail. It's your responsibility | ||||||
| e-mail functions. | to validate all data before passing it to the e-mail functions. | ||||||
|  |  | ||||||
| Here's an example view that takes a ``subject``, ``message`` and ``from_email`` | Here's an example view that takes a ``subject``, ``message`` and ``from_email`` | ||||||
| from the request's POST data, sends that to admin@example.com and redirects to | from the request's POST data, sends that to admin@example.com and redirects to | ||||||
| "/contact/thanks/" when it's done:: | "/contact/thanks/" when it's done:: | ||||||
|  |  | ||||||
|     from django.core.mail import send_mail |     from django.core.mail import send_mail, BadHeaderError | ||||||
|  |  | ||||||
|     def send_email(request): |     def send_email(request): | ||||||
|         subject = request.POST.get('subject', '') |         subject = request.POST.get('subject', '') | ||||||
|         message = request.POST.get('message', '') |         message = request.POST.get('message', '') | ||||||
|         from_email = request.POST.get('from_email', '') |         from_email = request.POST.get('from_email', '') | ||||||
|         if subject and message and from_email \ |         if subject and message and from_email: | ||||||
|                 and '\n' not in subject and '\n' not in message |             try: | ||||||
|                 and '\n' not in from_email: |  | ||||||
|                 send_mail(subject, message, from_email, ['admin@example.com']) |                 send_mail(subject, message, from_email, ['admin@example.com']) | ||||||
|  |             except BadHeaderError: | ||||||
|  |                 return HttpResponse('Invalid header found.') | ||||||
|             return HttpResponseRedirect('/contact/thanks/') |             return HttpResponseRedirect('/contact/thanks/') | ||||||
|         else: |         else: | ||||||
|             # In reality we'd use a manipulator |             # In reality we'd use a manipulator | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user