Forbid multi-line headers to prevent header injection.
(name, val, encoding)
| 74 | |
| 75 | # RemovedInDjango70Warning. |
| 76 | def forbid_multi_line_headers(name, val, encoding): |
| 77 | """Forbid multi-line headers to prevent header injection.""" |
| 78 | warnings.warn( |
| 79 | "The internal API forbid_multi_line_headers() is deprecated." |
| 80 | " Python's modern email API (with email.message.EmailMessage or" |
| 81 | " email.policy.default) will reject multi-line headers.", |
| 82 | RemovedInDjango70Warning, |
| 83 | ) |
| 84 | |
| 85 | encoding = encoding or settings.DEFAULT_CHARSET |
| 86 | val = str(val) # val may be lazy |
| 87 | if "\n" in val or "\r" in val: |
| 88 | raise BadHeaderError( |
| 89 | "Header values can't contain newlines (got %r for header %r)" % (val, name) |
| 90 | ) |
| 91 | try: |
| 92 | val.encode("ascii") |
| 93 | except UnicodeEncodeError: |
| 94 | if name.lower() in ADDRESS_HEADERS: |
| 95 | val = ", ".join( |
| 96 | sanitize_address(addr, encoding) for addr in getaddresses((val,)) |
| 97 | ) |
| 98 | else: |
| 99 | val = Header(val, encoding).encode() |
| 100 | else: |
| 101 | if name.lower() == "subject": |
| 102 | val = Header(val).encode() |
| 103 | return name, val |
| 104 | |
| 105 | |
| 106 | # RemovedInDjango70Warning. |