fix: Reject obvious bad encoding pastes into the Submitter field in submissions (#6702)

2023-12-04 14:10:36 -05:00 · 2023-12-04 14:10:36 -05:00 · 5006ea53e6
parent b78f5bab90
commit 5006ea53e6
2 changed files with 35 additions and 2 deletions
--- a/ietf/submit/forms.py
+++ b/ietf/submit/forms.py
@ -1,4 +1,4 @@
-# Copyright The IETF Trust 2011-2022, All Rights Reserved
+# Copyright The IETF Trust 2011-2023, All Rights Reserved
 # -*- coding: utf-8 -*-


@ -758,6 +758,20 @@ class SubmitterForm(NameEmailForm):
            line = formataddr((line, email))
        return line

+    def clean_name(self):
+        name = super(SubmitterForm, self).clean_name()
+        if name.startswith('=?'):
+            msg = f'"{name}" appears to be a MIME-encoded string.'
+            try:
+                import email.header
+                text, encoding = email.header.decode_header(name)[0]
+                decoded_name = text.decode(encoding)
+                msg += f' Did you mean "{decoded_name}"?'
+            except:
+                pass
+            raise forms.ValidationError(msg)
+        return name
+
 class ReplacesForm(forms.Form):
    replaces = SearchableDocAliasesField(required=False, help_text="Any Internet-Drafts that this document replaces (approval required for replacing an Internet-Draft you are not the author of)")

--- a/ietf/submit/tests.py
+++ b/ietf/submit/tests.py
@ -1,4 +1,4 @@
-# Copyright The IETF Trust 2011-2022, All Rights Reserved
+# Copyright The IETF Trust 2011-2023, All Rights Reserved
 # -*- coding: utf-8 -*-


@ -495,6 +495,25 @@ class SubmitTests(BaseSubmitTestCase):
        self.assertEqual(r.status_code, 200)
        self.assertContains(r, 'The submission is pending approval by the group chairs.')

+    def test_submit_new_wg_as_author_bad_submitter(self):
+        # submit new -> supply submitter info -> approve
+        mars = GroupFactory(type_id='wg', acronym='mars')
+        draft = WgDraftFactory(group=mars)
+        setup_default_community_list_for_group(draft.group)
+
+        name = "draft-ietf-mars-testing-tests"
+        rev = "00"
+        group = "mars"
+
+        status_url, author = self.do_submission(name, rev, group)
+        username = author.user.email
+
+        # supply submitter info with MIME-encoded name
+        self.client.login(username=username, password=username+'+password')  # log in as the author
+        r = self.supply_extra_metadata(name, status_url, '=?utf-8?q?Peter_Christen_Asbj=C3=B8rnsen?=', author.email().address.lower(), replaces=[])
+        self.assertEqual(r.status_code, 200)
+        self.assertContains(r, 'appears to be a MIME-encoded string')
+
    def submit_new_concluded_wg_as_author(self, group_state_id='conclude'):
        """A new concluded WG submission by a logged-in author needs AD approval"""
        mars = GroupFactory(type_id='wg', acronym='mars', state_id=group_state_id)