Email on new comments has issues if comment contains bad content
the-mace opened this issue · 2 comments
On the latest version 2.0.2 I get this thanks to some hackers:
File "/usr/local/lib/python2.7/dist-packages/django_comments/views/comments.py" in post_comment
130. request=request
File "/usr/local/lib/python2.7/dist-packages/django/dispatch/dispatcher.py" in send
191. response = receiver(signal=self, sender=sender, **named)
File "/usr/local/lib/python2.7/dist-packages/fluent_comments/models.py" in on_comment_posted
82. send_mail(subject, message, settings.DEFAULT_FROM_EMAIL, recipient_list, fail_silently=True)
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/__init__.py" in send_mail
62. return mail.send()
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in send
342. return self.get_connection(fail_silently).send_messages([self])
File "/usr/local/lib/python2.7/dist-packages/django_yubin/smtp_queue.py" in send_messages
36. queue_email_message(email_message)
File "/usr/local/lib/python2.7/dist-packages/django_yubin/__init__.py" in queue_email_message
123. encoded_message=email_message.message().as_string())
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in message
307. msg['Subject'] = self.subject
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in __setitem__
232. name, val = forbid_multi_line_headers(name, val, self.encoding)
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in forbid_multi_line_headers
92. raise BadHeaderError("Header values can't contain newlines (got %r for header %r)" % (val, name))
Exception Type: BadHeaderError at /comments/post/
Exception Value: Header values can't contain newlines (got u'[SITE] New comment posted on "<script>alert(1)</script> <script>alert(1)</script>: <img src=x onerror=alert(1)>\r\n\r\ntest..."' for header u'Subject')
Request information:
Other than disabling the emails I don't see any way to block the bad content. I don't actually need to see the actual comment, just knowing there's one there is good enough.
That's odd - how can these hackers point to that content_object
?
The code uses:
content_object = comment.content_object
subject = u'[{0}] New comment posted on "{1}"'.format(site.name, content_object)
which means they've already managed to add a model somewhere, and then point to it by adding a comment. Adding a <script>
to the subject would target vulnerable webmail clients (as Django already escapes HTML in templates)
One thing is clear, the Django comments post data needs better checks to avoid linking to random models.
I've made some improvements in the 'master' branch to enable the comment moderator by default.
This also allows to reject comments to unregistered models (FLUENT_COMMENTS_DEFAULT_MODERATOR = 'deny'
, and call moderate_model()
on any model you'd allow comments to be posted at)