[Mailman-Developers] 1030228 Mass Subscribe address with controlcharacter - can't delete

Mark Sapiro msapiro at value.net
Sun Sep 19 21:54:46 CEST 2004


Mark Sapiro wrote:

>Subject Bug report is posted on sourceforge.net.
>
>http://list.org/bugs.html says "It is also recommended that you email a
>note about your submission to the mailman-developers mailing list", thus
>this post.

I have two reasons for this followup. First, I neglected to include a
direct link to the report in my original post. Here it is.
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=1030228&group_id=103

The second reason is to try to start a discussion on what Mailman
should allow in e-mail addresses. I have looked a little more
carefully at the standards, but I'm still not sure what they allow.

It appears that RFC 2822 (Internet Message Format) allows anything in a
domain-literal which "is interpreted as the literal Internet address
of the particular host", but that RFC 2821 (SMTP) does not allow a
domain-literal to be used at all and is more restrictive than RFC 2822
on other forms of domains as well. Section 2.3.5 of RFC 2821 says in
part "A domain (or domain name) consists of one or more dot-separated
components. These components ("labels" in DNS terminology) are
restricted for SMTP purposes to consist of a sequence of letters,
digits, and hyphens drawn from the ASCII character set.

With regard to the "user" or local-part of the address, the situation
is not so clear. RFC 2821 in section 2.3.10 says in part "(T)he
local-part MUST be interpreted and assigned semantics only by the host
specified in the domain part of the address." It defines the
local-part in the same way as RFC 2822 which allows ascii letters,
digits, internal dots (.) and the following !#$%&'*+-/=?^_`{|}~ which
is all the "printable" ascii characters except space and "(),:;<>@[\]

Both RFCs also allow a local-part to be a quoted-string which can
contain almost any ascii character in \001-\177 except \011 \012 \015
and \040 (<HT>, <LF>, <CR> and <SP>), BUT RFC 2821 says in part in
section 4.1.2 "Systems MUST NOT define mailboxes in such a way as to
require the use in SMTP of non-ASCII characters (octets with the high
order bit set to one) or ASCII "control characters" (decimal value
0-31 and 127). These characters MUST NOT be used in MAIL or RCPT
commands or other commands that require mailbox names."

Thus, it would seem as a practical matter, Mailman should not accept
for subscription any address containing any characters in the ranges
\000-\037 and \177-\377. Thus I suggest the following, totally
untested change:

--- mailman-2.1.5/Mailman/Utils.py      2003-12-26 14:50:04.000000000
-0800
+++ mailman-mas/Mailman/Utils.py        2004-09-19 12:49:30.000000000
-0700
@@ -198,7 +198,7 @@


 # TBD: what other characters should be disallowed?
-_badchars = re.compile(r'[][()<>|;^,/\200-\377]')
+_badchars = re.compile(r'[][()<>|;^,/\000-\037\177-\377]')

 def ValidateEmail(s):
     """Verify that the an email address isn't grossly evil."""

This still leaves open the question of whether the printable characters
in the _badchars RE are the right ones and what to do with
quoted-string local-parts, but I think it would prevent my immediate
problem from recurring.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the Mailman-Developers mailing list