Validate the from email for invalid characters

This might not be sufficient for all cases. If some other strange IndexErrors appear, more validation has to be done. For now, it catches all observed cases.
2021-04-22 12:33:33 +02:00 · 2021-04-22 12:33:33 +02:00 · a8e329253c
commit a8e329253c
parent 4f35770769
1 changed files with 18 additions and 4 deletions
--- a/server/openslides/users/models.py
+++ b/server/openslides/users/models.py
@ -271,12 +271,26 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
        except KeyError as err:
            raise ValidationError({"detail": "Invalid property {0}", "args": [err]})

+        from_email = config["users_email_sender"].strip()
+        blacklist = ("[", "]", "\\")
+        if any(x in from_email for x in blacklist):
+            blacklist_str = '"' + '", "'.join(blacklist) + '"'
+            raise ValidationError(
+                {
+                    "detail": "Invalid characters in the sender name configuration. "
+                    + f"Not allowed: {blacklist_str}"
+                }
+            )
+        if from_email:
+            from_email += " "
+        from_email += f"<{settings.DEFAULT_FROM_EMAIL}>"
+
        # Create an email and send it.
        email = mail.EmailMessage(
-            subject,
-            message,
-            config["users_email_sender"] + " <" + settings.DEFAULT_FROM_EMAIL + ">",
-            [self.email],
+            subject=subject,
+            body=message,
+            from_email=from_email,
+            to=[self.email],
            reply_to=[config["users_email_replyto"]],
        )
        try: