From 0505adf5761a76b647040bb5120ae453464e5e63 Mon Sep 17 00:00:00 2001 From: Git Repository Date: Tue, 23 May 2017 17:21:46 -0700 Subject: [PATCH] [Issue #1159] Remove any +tag name in email alias before checking privileges --- management/mailconfig.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/management/mailconfig.py b/management/mailconfig.py index 4cb57027..253076df 100755 --- a/management/mailconfig.py +++ b/management/mailconfig.py @@ -433,11 +433,13 @@ def add_mail_alias(address, forwards_to, permitted_senders, env, update_if_exist for line in forwards_to.split("\n"): for email in line.split(","): email = email.strip() + # Strip any +tag from email alias and check privileges + privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email) if email == "": continue email = sanitize_idn_email_address(email) # Unicode => IDNA if not validate_email(email): return ("Invalid receiver email address (%s)." % email, 400) - if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(email, env, empty_on_error=True): + if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True): # Make domain control validation hijacking a little harder to mess up by # requiring aliases for email addresses typically used in DCV to forward # only to accounts that are administrators on this system.