From 5006ea53e686a82d8dbfa10ce2f5c7262f91ffa7 Mon Sep 17 00:00:00 2001
From: Paul Selkirk <paul@painless-security.com>
Date: Mon, 4 Dec 2023 14:10:36 -0500
Subject: [PATCH] fix: Reject obvious bad encoding pastes into the Submitter
 field in submissions (#6702)

---
 ietf/submit/forms.py | 16 +++++++++++++++-
 ietf/submit/tests.py | 21 ++++++++++++++++++++-
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/ietf/submit/forms.py b/ietf/submit/forms.py
index 0b48dae2a..4a71d7beb 100644
--- a/ietf/submit/forms.py
+++ b/ietf/submit/forms.py
@@ -1,4 +1,4 @@
-# Copyright The IETF Trust 2011-2022, All Rights Reserved
+# Copyright The IETF Trust 2011-2023, All Rights Reserved
 # -*- coding: utf-8 -*-
 
 
@@ -758,6 +758,20 @@ class SubmitterForm(NameEmailForm):
             line = formataddr((line, email))
         return line
 
+    def clean_name(self):
+        name = super(SubmitterForm, self).clean_name()
+        if name.startswith('=?'):
+            msg = f'"{name}" appears to be a MIME-encoded string.'
+            try:
+                import email.header
+                text, encoding = email.header.decode_header(name)[0]
+                decoded_name = text.decode(encoding)
+                msg += f' Did you mean "{decoded_name}"?'
+            except:
+                pass
+            raise forms.ValidationError(msg)
+        return name
+
 class ReplacesForm(forms.Form):
     replaces = SearchableDocAliasesField(required=False, help_text="Any Internet-Drafts that this document replaces (approval required for replacing an Internet-Draft you are not the author of)")
 
diff --git a/ietf/submit/tests.py b/ietf/submit/tests.py
index 572d7bda9..8b1551cc1 100644
--- a/ietf/submit/tests.py
+++ b/ietf/submit/tests.py
@@ -1,4 +1,4 @@
-# Copyright The IETF Trust 2011-2022, All Rights Reserved
+# Copyright The IETF Trust 2011-2023, All Rights Reserved
 # -*- coding: utf-8 -*-
 
 
@@ -495,6 +495,25 @@ class SubmitTests(BaseSubmitTestCase):
         self.assertEqual(r.status_code, 200)
         self.assertContains(r, 'The submission is pending approval by the group chairs.')
 
+    def test_submit_new_wg_as_author_bad_submitter(self):
+        # submit new -> supply submitter info -> approve
+        mars = GroupFactory(type_id='wg', acronym='mars')
+        draft = WgDraftFactory(group=mars)
+        setup_default_community_list_for_group(draft.group)
+
+        name = "draft-ietf-mars-testing-tests"
+        rev = "00"
+        group = "mars"
+
+        status_url, author = self.do_submission(name, rev, group)
+        username = author.user.email
+
+        # supply submitter info with MIME-encoded name
+        self.client.login(username=username, password=username+'+password')  # log in as the author
+        r = self.supply_extra_metadata(name, status_url, '=?utf-8?q?Peter_Christen_Asbj=C3=B8rnsen?=', author.email().address.lower(), replaces=[])
+        self.assertEqual(r.status_code, 200)
+        self.assertContains(r, 'appears to be a MIME-encoded string')
+
     def submit_new_concluded_wg_as_author(self, group_state_id='conclude'):
         """A new concluded WG submission by a logged-in author needs AD approval"""
         mars = GroupFactory(type_id='wg', acronym='mars', state_id=group_state_id)