Ticket #1541: multipart_mail.diff

mail.py

@@ -2 +2 @@
 
 from django.conf.settings import DEFAULT_FROM_EMAIL, EMAIL_HOST, EMAIL_SUBJECT_PREFIX, EMAIL_HOST_USER, EMAIL_HOST_PASSWORD
 from email.MIMEText import MIMEText
+from email.MIMEMultipart import MIMEMultipart
 import smtplib
 
 class BadHeaderError(ValueError):
     pass
 
+class SafeMIMEMultipart(MIMEMultipart):
+    def __setitem__(self, name, val):
+        "Forbids multi-line headers, to prevent header injection."
+        if '\n' in val or '\r' in val:
+            raise BadHeaderError, "Header values can't contain newlines (got %r for header %r)" % (val, name)
+        MIMEMultipart.__setitem__(self, name, val)
+
 class SafeMIMEText(MIMEText):
     def __setitem__(self, name, val):
         "Forbids multi-line headers, to prevent header injection."
@@ -18 +26 @@
     """
     Easy wrapper for sending a single message to a recipient list. All members
     of the recipient list will see the other recipients in the 'To' field.
+    Note that the message parameter can be either text or one of the SafeMIMExxx methods listed above.
     """
     return send_mass_mail([[subject, message, from_email, recipient_list]], fail_silently, auth_user, auth_password)
 
@@ -28 +37 @@
 
     If from_email is None, the DEFAULT_FROM_EMAIL setting is used.
     If auth_user and auth_password are set, they're used to log in.
+    Note that the message parameter can be either text or one of the SafeMIMExxx methods listed above.
     """
     try:
         server = smtplib.SMTP(EMAIL_HOST)
@@ -42 +52 @@
         if not recipient_list:
             continue
         from_email = from_email or DEFAULT_FROM_EMAIL
-        msg = SafeMIMEText(message)
+
+        if isinstance(message, SafeMIMEText) or isinstance(message, SafeMIMEMultipart):
+            msg = message
+        else:
+            msg = SafeMIMEText(message)
+
         msg['Subject'] = subject
         msg['From'] = from_email
         msg['To'] = ', '.join(recipient_list)