[ mailman-Bugs-1100788 ] ^ and / are allowed charactes in email address

Mon Jan 17 01:16:19 CET 2005

Bugs item #1100788, was opened at 2005-01-12 10:51
Message generated for change (Comment added) made by tkikuchi
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1100788&group_id=103

Category: (un)subscribing
Group: 2.1 (stable)
>Status: Closed
>Resolution: Later
Priority: 5
Submitted By: reeg (reeg)
Assigned to: Nobody/Anonymous (nobody)
Summary: ^ and / are allowed charactes in email address

Initial Comment:
According RFC 2822 (section 3.4.1 and 3.2.4) the
characters ^ and / are allowed in the localpart of an
email address. But in the file Mailman/Utils.py line
201 they are listed as _badchars.

----------------------------------------------------------------------

>Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-01-17 00:16

Message:
Logged In: YES 
user_id=67709

Closing because '/' was already fixed in 2.1.6. Others
should be fixed in 3.0 (later).

----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw)
Date: 2005-01-13 15:35

Message:
Logged In: YES 
user_id=12800

Ideally, we'd allow any RFC 2822 legal address in, but I'd
rather be secure than accept very uncommon corner cases.  So
where some characters cause Mailman problems, it's okay to
leave them in _badchars.  I think the number of people this
will affect will be exceedingly small.

----------------------------------------------------------------------

Comment By: reeg (reeg)
Date: 2005-01-13 08:53

Message:
Logged In: YES 
user_id=1146038

Till now I had only a problem with the / because in one
company the have adresses like "name/departmant/country at domain".
Thanks for the change in CVS.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-01-13 02:49

Message:
Logged In: YES 
user_id=67709

_badchars in Utils.py is essentially not for dompliance with
the RFC2822. Any printable characters can appear in local
part if you use 'quoted-string' (I vaguely suppose). This is
mainly for security in Mailman and web interface I suppose.
The character '/' was removed from this list in the CVS
after close investigation. Problem was in the cookie which
mailman send to the browser. '^' is a special character for
regular expression and must be very careful in treating
this. Another character which is listed in _badchars and
allowd in RFC2822 is '|' which is used for pipeline commands
and should be treated with care.
Again, '/' will be removed from the next 2.1.6 release.
BTW, I know '/' is used for X.400 gateway but how '^' is
used? I want to assess this priority.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1100788&group_id=103