Fixed #1139 -- Changed django.core.mail to raise BadHeaderError (a subclass of ValueError) and changed docs/email.txt example to use that
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1798 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
8b5c2192e8
commit
528b4ebd8d
|
@ -4,11 +4,14 @@ from django.conf.settings import DEFAULT_FROM_EMAIL, EMAIL_HOST, EMAIL_SUBJECT_P
|
|||
from email.MIMEText import MIMEText
|
||||
import smtplib
|
||||
|
||||
class BadHeaderError(ValueError):
|
||||
pass
|
||||
|
||||
class SafeMIMEText(MIMEText):
|
||||
def __setitem__(self, name, val):
|
||||
"Forbids multi-line headers, to prevent header injection."
|
||||
if '\n' in val or '\r' in val:
|
||||
raise ValueError, "Header values can't contain newlines (got %r for header %r)" % (val, name)
|
||||
raise BadHeaderError, "Header values can't contain newlines (got %r for header %r)" % (val, name)
|
||||
MIMEText.__setitem__(self, name, val)
|
||||
|
||||
def send_mail(subject, message, from_email, recipient_list, fail_silently=False):
|
||||
|
|
|
@ -127,24 +127,25 @@ scripts generate.
|
|||
The Django e-mail functions outlined above all protect against header injection
|
||||
by forbidding newlines in header values. If any ``subject``, ``from_email`` or
|
||||
``recipient_list`` contains a newline, the e-mail function (e.g.
|
||||
``send_mail()``) will raise ``ValueError`` and, hence, will not send the
|
||||
e-mail. It's your responsibility to validate all data before passing it to the
|
||||
e-mail functions.
|
||||
``send_mail()``) will raise ``django.core.mail.BadHeaderError`` (a subclass of
|
||||
``ValueError``) and, hence, will not send the e-mail. It's your responsibility
|
||||
to validate all data before passing it to the e-mail functions.
|
||||
|
||||
Here's an example view that takes a ``subject``, ``message`` and ``from_email``
|
||||
from the request's POST data, sends that to admin@example.com and redirects to
|
||||
"/contact/thanks/" when it's done::
|
||||
|
||||
from django.core.mail import send_mail
|
||||
from django.core.mail import send_mail, BadHeaderError
|
||||
|
||||
def send_email(request):
|
||||
subject = request.POST.get('subject', '')
|
||||
message = request.POST.get('message', '')
|
||||
from_email = request.POST.get('from_email', '')
|
||||
if subject and message and from_email \
|
||||
and '\n' not in subject and '\n' not in message
|
||||
and '\n' not in from_email:
|
||||
if subject and message and from_email:
|
||||
try:
|
||||
send_mail(subject, message, from_email, ['admin@example.com'])
|
||||
except BadHeaderError:
|
||||
return HttpResponse('Invalid header found.')
|
||||
return HttpResponseRedirect('/contact/thanks/')
|
||||
else:
|
||||
# In reality we'd use a manipulator
|
||||
|
|
Loading…
Reference in New Issue