[Issue #1159] Remove any +tag name in email alias before checking privileges (#1181)

* [Issue #1159] Remove any +tag name in email alias before checking privileges * Move priprivileged email check after the conversion to unicode so only IDNA serves as input

[Issue #1159] Remove any +tag name in email alias before checking privileges (#1181)
* [Issue #1159] Remove any +tag name in email alias before checking privileges * Move priprivileged email check after the conversion to unicode so only IDNA serves as input
19a928e4 · Git Repository · Joshua Tauberer · 78f2fe21 · 19a928e4
Commit 19a928e4 authored Jul 21, 2017 by Git Repository Committed by Joshua Tauberer Jul 21, 2017
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

mailconfig.py management/mailconfig.py +3 -1

No files found.
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -435,9 +435,11 @@ def add_mail_alias(address, forwards_to, permitted_senders, env, update_if_exist
 				email = email.strip()
 				if email == "": continue
 				email = sanitize_idn_email_address(email) # Unicode => IDNA
+				# Strip any +tag from email alias and check privileges
+				privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email)
 				if not validate_email(email):
 					return ("Invalid receiver email address (%s)." % email, 400)
-				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(email, env, empty_on_error=True):
+				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True):
 					# Make domain control validation hijacking a little harder to mess up by
 					# requiring aliases for email addresses typically used in DCV to forward
 					# only to accounts that are administrators on this system.