diff options
| author | Adrian Holovaty <adrian@holovaty.com> | 2005-12-29 20:33:56 +0000 |
|---|---|---|
| committer | Adrian Holovaty <adrian@holovaty.com> | 2005-12-29 20:33:56 +0000 |
| commit | 8b5c2192e8698f777102cf56bdbed2170df09cc0 (patch) | |
| tree | de3bba283bcf625128591cc4b73de5b32bff3481 /docs | |
| parent | f7f812cd7087625266f69596fb914a919bc798ae (diff) | |
Fixed #1135 -- Changed django.core.mail functions not to allow newlines in headers
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1795 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/email.txt | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/docs/email.txt b/docs/email.txt index b7450b8a14..f07062df36 100644 --- a/docs/email.txt +++ b/docs/email.txt @@ -114,3 +114,41 @@ receiving a separate e-mail:: ('Subject', 'Message.', 'from@example.com', ['jane@example.com'], ) send_mass_mail(datatuple) + +Preventing header injection +=========================== + +**New in Django development version.** + +`Header injection`_ is a security exploit in which an attacker inserts extra +e-mail headers to control the "To:" and "From:" in e-mail messages that your +scripts generate. + +The Django e-mail functions outlined above all protect against header injection +by forbidding newlines in header values. If any ``subject``, ``from_email`` or +``recipient_list`` contains a newline, the e-mail function (e.g. +``send_mail()``) will raise ``ValueError`` and, hence, will not send the +e-mail. It's your responsibility to validate all data before passing it to the +e-mail functions. + +Here's an example view that takes a ``subject``, ``message`` and ``from_email`` +from the request's POST data, sends that to admin@example.com and redirects to +"/contact/thanks/" when it's done:: + + from django.core.mail import send_mail + + def send_email(request): + subject = request.POST.get('subject', '') + message = request.POST.get('message', '') + from_email = request.POST.get('from_email', '') + if subject and message and from_email \ + and '\n' not in subject and '\n' not in message + and '\n' not in from_email: + send_mail(subject, message, from_email, ['admin@example.com']) + return HttpResponseRedirect('/contact/thanks/') + else: + # In reality we'd use a manipulator + # to get proper validation errors. + return HttpResponse('Make sure all fields are entered and valid.') + +.. _Header injection: http://securephp.damonkohler.com/index.php/Email_Injection |
