diff --git a/django/core/mail/message.py b/django/core/mail/message.py index 607eb4af0b..963542cd62 100644 --- a/django/core/mail/message.py +++ b/django/core/mail/message.py @@ -10,7 +10,7 @@ from email.mime.base import MIMEBase from email.mime.message import MIMEMessage from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText -from email.utils import formatdate, getaddresses, make_msgid +from email.utils import formataddr, formatdate, getaddresses, make_msgid from io import BytesIO, StringIO from pathlib import Path @@ -96,16 +96,24 @@ def sanitize_address(addr, encoding): nm, address = addr localpart, domain = address.rsplit('@', 1) - nm = Header(nm, encoding).encode() + address_parts = nm + localpart + domain + if '\n' in address_parts or '\r' in address_parts: + raise ValueError('Invalid address; address parts cannot contain newlines.') + # Avoid UTF-8 encode, if it's possible. + try: + nm.encode('ascii') + nm = Header(nm).encode() + except UnicodeEncodeError: + nm = Header(nm, encoding).encode() try: localpart.encode('ascii') except UnicodeEncodeError: localpart = Header(localpart, encoding).encode() domain = punycode(domain) - parsed_address = Address(nm, username=localpart, domain=domain) - return str(parsed_address) + parsed_address = Address(username=localpart, domain=domain) + return formataddr((nm, parsed_address.addr_spec)) class MIMEMixin: diff --git a/docs/releases/2.2.15.txt b/docs/releases/2.2.15.txt index df26962029..d8ed58b596 100644 --- a/docs/releases/2.2.15.txt +++ b/docs/releases/2.2.15.txt @@ -4,10 +4,13 @@ Django 2.2.15 release notes *Expected August 3, 2020* -Django 2.2.15 fixes a bug in 2.2.14. +Django 2.2.15 fixes two bugs in 2.2.14. Bugfixes ======== * Allowed setting the ``SameSite`` cookie flag in :meth:`.HttpResponse.delete_cookie` (:ticket:`31790`). + +* Fixed crash when sending emails to addresses with display names longer than + 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (:ticket:`31784`). diff --git a/docs/releases/3.0.9.txt b/docs/releases/3.0.9.txt index 36bcf4546f..65310384ec 100644 --- a/docs/releases/3.0.9.txt +++ b/docs/releases/3.0.9.txt @@ -11,3 +11,6 @@ Bugfixes * Allowed setting the ``SameSite`` cookie flag in :meth:`.HttpResponse.delete_cookie` (:ticket:`31790`). + +* Fixed crash when sending emails to addresses with display names longer than + 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (:ticket:`31784`). diff --git a/tests/mail/tests.py b/tests/mail/tests.py index 1f8c6b12bf..baffe1a5ed 100644 --- a/tests/mail/tests.py +++ b/tests/mail/tests.py @@ -730,14 +730,14 @@ class MailTests(HeadersCheckMixin, SimpleTestCase): ( ('A name', 'to@example.com'), 'utf-8', - '=?utf-8?q?A_name?= ', + 'A name ', ), ('localpartonly', 'ascii', 'localpartonly'), # ASCII addresses with display names. ('A name ', 'ascii', 'A name '), - ('A name ', 'utf-8', '=?utf-8?q?A_name?= '), + ('A name ', 'utf-8', 'A name '), ('"A name" ', 'ascii', 'A name '), - ('"A name" ', 'utf-8', '=?utf-8?q?A_name?= '), + ('"A name" ', 'utf-8', 'A name '), # Unicode addresses (supported per RFC-6532). ('tó@example.com', 'utf-8', '=?utf-8?b?dMOz?=@example.com'), ('to@éxample.com', 'utf-8', 'to@xn--xample-9ua.com'), @@ -756,20 +756,45 @@ class MailTests(HeadersCheckMixin, SimpleTestCase): ( 'To Example ', 'utf-8', - '=?utf-8?q?To_Example?= ', + 'To Example ', ), # Addresses with two @ signs. ('"to@other.com"@example.com', 'utf-8', r'"to@other.com"@example.com'), ( '"to@other.com" ', 'utf-8', - '=?utf-8?q?to=40other=2Ecom?= ', + '"to@other.com" ', ), ( ('To Example', 'to@other.com@example.com'), 'utf-8', - '=?utf-8?q?To_Example?= <"to@other.com"@example.com>', + 'To Example <"to@other.com"@example.com>', ), + # Addresses with long unicode display names. + ( + 'Tó Example very long' * 4 + ' ', + 'utf-8', + '=?utf-8?q?T=C3=B3_Example_very_longT=C3=B3_Example_very_longT' + '=C3=B3_Example_?=\n' + ' =?utf-8?q?very_longT=C3=B3_Example_very_long?= ' + '', + ), + ( + ('Tó Example very long' * 4, 'to@example.com'), + 'utf-8', + '=?utf-8?q?T=C3=B3_Example_very_longT=C3=B3_Example_very_longT' + '=C3=B3_Example_?=\n' + ' =?utf-8?q?very_longT=C3=B3_Example_very_long?= ' + '', + ), + # Address with long display name and unicode domain. + ( + ('To Example very long' * 4, 'to@exampl€.com'), + 'utf-8', + 'To Example very longTo Example very longTo Example very longT' + 'o Example very\n' + ' long ' + ) ): with self.subTest(email_address=email_address, encoding=encoding): self.assertEqual(sanitize_address(email_address, encoding), expected_result) @@ -789,6 +814,19 @@ class MailTests(HeadersCheckMixin, SimpleTestCase): with self.assertRaises(ValueError): sanitize_address(email_address, encoding='utf-8') + def test_sanitize_address_header_injection(self): + msg = 'Invalid address; address parts cannot contain newlines.' + tests = [ + 'Name\nInjection ', + ('Name\nInjection', 'to@xample.com'), + 'Name ', + ('Name', 'to\ninjection@example.com'), + ] + for email_address in tests: + with self.subTest(email_address=email_address): + with self.assertRaisesMessage(ValueError, msg): + sanitize_address(email_address, encoding='utf-8') + @requires_tz_support class MailTimeZoneTests(SimpleTestCase):