[CMF-checkins] CVS: CMF/CMFDefault - RegistrationTool.py:1.19.10.4 version.txt:1.7.32.7

[Tres Seaver]

Update of /cvs-repository/CMF/CMFDefault
In directory cvs.zope.org:/tmp/cvs-serv13517/CMFDefault

Modified Files:
      Tag: CMF-1_4-branch
	RegistrationTool.py version.txt 
Log Message:


  - Collector #243:  unscrubbed member property, 'email' could allow
    mail header injection.


  - Prep for 1.4.4 release.


=== CMF/CMFDefault/RegistrationTool.py 1.19.10.3 => 1.19.10.4 ===
--- CMF/CMFDefault/RegistrationTool.py:1.19.10.3	Thu Apr 22 13:47:50 2004
+++ CMF/CMFDefault/RegistrationTool.py	Fri May 14 17:44:13 2004
@@ -14,6 +14,7 @@
 
 $Id$
 """
+import re
 
 from Globals import InitializeClass, DTMLFile
 from AccessControl import ClassSecurityInfo
@@ -103,7 +104,12 @@
                 return ('The login name you selected is already '
                         'in use or is not valid. Please choose another.')
 
-            if not props.get('email'):
+            email = props.get('email')
+            if email is None:
+                return 'You must enter an email address.'
+
+            ok, message =  _checkEmail( email )
+            if not ok:
                 return 'You must enter a valid email address.'
 
         else: # Existing member.
@@ -201,3 +207,50 @@
         return member
 
 InitializeClass(RegistrationTool)
+
+# See URL: http://www.zopelabs.com/cookbook/1033402597
+
+# Python 2.1 compatibility
+try:
+    True
+except NameError:
+    True = 1
+    False = 0
+
+
+_TESTS = ( ( re.compile("^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+$")
+           , True
+           , "Failed a"
+           )
+         , ( re.compile("^[^0-9a-zA-Z]|[^0-9a-zA-Z]$")
+           , False
+           , "Failed b"
+           )
+         , ( re.compile("([0-9a-zA-Z]{1})\@.")
+           , True
+           , "Failed c"
+           )
+         , ( re.compile(".\@([0-9a-zA-Z]{1})")
+           , True
+           , "Failed d"
+           )
+         , ( re.compile(".\.\-.|.\-\..|.\.\..|.\-\-.")
+           , False
+           , "Failed e"
+           )
+         , ( re.compile(".\.\_.|.\-\_.|.\_\..|.\_\-.|.\_\_.")
+           , False
+           , "Failed f"
+           )
+         , ( re.compile(".\.([a-zA-Z]{2,3})$|.\.([a-zA-Z]{2,4})$")
+           , True
+           , "Failed g"
+           )
+         )
+
+def _checkEmail( address ):
+    for pattern, expected, message in _TESTS:
+        matched = pattern.search( address ) is not None
+        if matched != expected:
+            return False, message
+    return True, ''


=== CMF/CMFDefault/version.txt 1.7.32.6 => 1.7.32.7 ===
--- CMF/CMFDefault/version.txt:1.7.32.6	Thu Apr 22 13:47:50 2004
+++ CMF/CMFDefault/version.txt	Fri May 14 17:44:13 2004
@@ -1,2 +1,2 @@
-CMF-1.4.3
+CMF-1.4.4