From a8e329253c2212c63bf75f3a22179b53842e61cf Mon Sep 17 00:00:00 2001 From: Finn Stutzenstein Date: Thu, 22 Apr 2021 12:33:33 +0200 Subject: [PATCH] Validate the from email for invalid characters This might not be sufficient for all cases. If some other strange IndexErrors appear, more validation has to be done. For now, it catches all observed cases. --- server/openslides/users/models.py | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/server/openslides/users/models.py b/server/openslides/users/models.py index 25631b4da..bf9436952 100644 --- a/server/openslides/users/models.py +++ b/server/openslides/users/models.py @@ -271,12 +271,26 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser): except KeyError as err: raise ValidationError({"detail": "Invalid property {0}", "args": [err]}) + from_email = config["users_email_sender"].strip() + blacklist = ("[", "]", "\\") + if any(x in from_email for x in blacklist): + blacklist_str = '"' + '", "'.join(blacklist) + '"' + raise ValidationError( + { + "detail": "Invalid characters in the sender name configuration. " + + f"Not allowed: {blacklist_str}" + } + ) + if from_email: + from_email += " " + from_email += f"<{settings.DEFAULT_FROM_EMAIL}>" + # Create an email and send it. email = mail.EmailMessage( - subject, - message, - config["users_email_sender"] + " <" + settings.DEFAULT_FROM_EMAIL + ">", - [self.email], + subject=subject, + body=message, + from_email=from_email, + to=[self.email], reply_to=[config["users_email_replyto"]], ) try: