CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

SECURITY: Prevent placeholder injcetion in plaintext emails

Browse Source
This commit is contained in:
Kara Engelhardt
2026-02-12 13:10:26 +01:00
committed by Raphael Michel
parent d1686df07c
commit ae6014708b
2 changed files with 186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/pretix/base/services/mail.py
View File

@@ -256,7 +256,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
_autoextend_context(context, order)
# Build raw content
body_plain = render_mail(template, context, placeholder_mode=SafeFormatter.MODE_RICH_TO_PLAIN)
body_plain = render_mail(template, context, placeholder_mode=None)
if settings_holder:
signature = str(settings_holder.settings.get('mail_text_signature'))
else:
@@ -267,7 +267,8 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
body_plain = format_map(body_plain, context, mode=SafeFormatter.MODE_RICH_TO_PLAIN)
# Build subject
subject = str(subject).format_map(TolerantDict(context))
subject = format_map(subject, context)
subject = raw_subject = subject.replace('\n', ' ').replace('\r', '')[:900]
if settings_holder:
subject = prefix_subject(settings_holder, subject)