Opened 19 years ago
Closed 19 years ago
#1135 closed defect (fixed)
Check django.core.mail against SMTP header injection attacks
Reported by: | Simon Willison | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | Core (Other) | Version: | |
Severity: | normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
James Bennett brought this up here:
http://groups.google.com/group/django-users/browse_thread/thread/aae390deedaebb0c/8655b4032d2775e5
We should make sure that Django's built in email stuff is defended against SMTP header injection attacks, as described here:
http://securephp.damonkohler.com/index.php/Email_Injection
I'm not sure if Python's smtplib protects us here or not.
Note:
See TracTickets
for help on using tickets.
(In [1795]) Fixed #1135 -- Changed django.core.mail functions not to allow newlines in headers