[CMF-checkins] CVS: CMF/CMFDefault - RegistrationTool.py:1.27

Tue Jun 1 13:55:02 EDT 2004

Update of /cvs-repository/CMF/CMFDefault
In directory cvs.zope.org:/tmp/cvs-serv15436/CMFDefault

Modified Files:
	RegistrationTool.py 
Log Message:
 - Forward port further email-injection hardening from 1.4 branch.


=== CMF/CMFDefault/RegistrationTool.py 1.26 => 1.27 ===

--- CMF/CMFDefault/RegistrationTool.py:1.26	Fri May 14 18:16:30 2004
+++ CMF/CMFDefault/RegistrationTool.py	Tue Jun  1 13:55:00 2004
@@ -117,9 +117,18 @@
                 return 'You must enter a valid email address.'
 
         else: # Existing member.
+            email = props.get('email')
+
+            if email is not None:
+
+                ok, message =  _checkEmail( email )
+                if not ok:
+                    return 'You must enter a valid email address.'
+
             # Not allowed to clear an existing non-empty email.
-            if (member.getProperty('email') and
-                not props.get('email', 'NoPropIsOk')):
+            existing = member.getProperty('email')
+            
+            if existing and email == '':
                 return 'You must enter a valid email address.'
 
         return None
@@ -141,6 +150,10 @@
         if not member.getProperty('email'):
             raise ValueError('That user does not have an email address.')
 
+        check, msg = _checkEmail(member.getProperty('email'))
+        if not check:
+            raise 'ValueError', msg
+
         # Rather than have the template try to use the mailhost, we will
         # render the message ourselves and send it from here (where we
         # don't need to worry about 'UseMailHost' permissions).
@@ -172,6 +185,10 @@
         if email is None:
             raise ValueError( 'No email address is registered for member: %s'
                             % new_member_id )
+
+        check, msg = _checkEmail(email)
+        if not check:
+            raise 'ValueError', msg
 
         # Rather than have the template try to use the mailhost, we will
         # render the message ourselves and send it from here (where we


