From 19a928e4ecb84480e61ed0e8959339eb0682725d Mon Sep 17 00:00:00 2001 From: Git Repository Date: Fri, 21 Jul 2017 08:10:16 -0700 Subject: [PATCH] [Issue #1159] Remove any +tag name in email alias before checking privileges (#1181) * [Issue #1159] Remove any +tag name in email alias before checking privileges * Move priprivileged email check after the conversion to unicode so only IDNA serves as input --- management/mailconfig.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/management/mailconfig.py b/management/mailconfig.py index 4cb57027..da83cd18 100755 --- a/management/mailconfig.py +++ b/management/mailconfig.py @@ -435,9 +435,11 @@ def add_mail_alias(address, forwards_to, permitted_senders, env, update_if_exist email = email.strip() if email == "": continue email = sanitize_idn_email_address(email) # Unicode => IDNA + # Strip any +tag from email alias and check privileges + privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email) if not validate_email(email): return ("Invalid receiver email address (%s)." % email, 400) - if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(email, env, empty_on_error=True): + if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True): # Make domain control validation hijacking a little harder to mess up by # requiring aliases for email addresses typically used in DCV to forward # only to accounts that are administrators on this system.