Opened 20 years ago
Closed 20 years ago
#1135 closed defect (fixed)
Check django.core.mail against SMTP header injection attacks
| Reported by: | Simon Willison | Owned by: | Adrian Holovaty |
|---|---|---|---|
| Component: | Core (Other) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
James Bennett brought this up here:
http://groups.google.com/group/django-users/browse_thread/thread/aae390deedaebb0c/8655b4032d2775e5
We should make sure that Django's built in email stuff is defended against SMTP header injection attacks, as described here:
http://securephp.damonkohler.com/index.php/Email_Injection
I'm not sure if Python's smtplib protects us here or not.
Note:
See TracTickets
for help on using tickets.
(In [1795]) Fixed #1135 -- Changed django.core.mail functions not to allow newlines in headers