I notice a problem with the django's header injection
prevention code.
It checks only if there's new line (\r or \n) in the
header, I guess it
should be improved, since when we want to send a utf-8
header, it
reaches its limitation -
from python's email package email.Header.Header.encode()
method's
comment:
" .... there is a
75-character length limit on any given encoded
header field, so
line-wrapping must be performed, even with
double-byte
character sets."
so, if you want to utf-8 encoded your mail header, and your
subject
gets long enough, python's Header.encode() method WILL
line-wrap your
subject, and when you try to pass your line-wrapped subject
to django's
send_mail, your subject could not pass django's header
injection check
and BadHeaderError is thrown.
here is my simple demo of the Header.encode() method's
line-wrapping
behavior:
>>> subject_string = "helloooooo, I'm
preeeeeetty looooooooooooooooooooooooooooog"
>>> len(subject_string)
59
>>> subject = Header(subject_string, 'utf-8')
>>> subject.encode()
'=?utf-8?q?helloooooo=2C_I=27m_preeeeeetty_looooooooooooooo
oooooooooooooog?='
>>> len(subject.encode())
75
>>> subject_string = "helloooooo, I'm
preeeeeetty loooooooooooooooooooooooooooooog"
>>> len(subject_string) 60
>>> subject = Header(subject_string, 'utf-8')
>>> subject.encode()
'=?utf-8?q?helloooooo=2C_I=27m_preeeeeetty_looooooooooooooo
ooooooooooooooo?=\n =?utf-8?q?g?='
>>> len(subject.encode())
90
>>>
see, there is a '\n' in the last "subject".
- Eric
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Django users" group.
To post to this group, send email to django-users googlegroups.com
To unsubscribe from this group, send email to
django-users-unsubscribegooglegroups.com
For more options, visit this group at http://gr
oups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
|