Code

Opened 9 years ago

Closed 9 years ago

#1135 closed defect (fixed)

Check django.core.mail against SMTP header injection attacks

Reported by: Simon Willison Owned by: adrian
Component: Core (Other) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

James Bennett brought this up here:

http://groups.google.com/group/django-users/browse_thread/thread/aae390deedaebb0c/8655b4032d2775e5

We should make sure that Django's built in email stuff is defended against SMTP header injection attacks, as described here:

http://securephp.damonkohler.com/index.php/Email_Injection

I'm not sure if Python's smtplib protects us here or not.

Attachments (0)

Change History (1)

comment:1 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [1795]) Fixed #1135 -- Changed django.core.mail functions not to allow newlines in headers

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.