Email Escaping about dice-server-js HOT 2 CLOSED

The "To: " field in the SMTP protocol allows a comma separated to send an emial to multiple recipients at once.

Let me make sure I'm understanding your problem correctly... Are you talking about the SMTP protocol or the nodemailer module? I don't think the dice server code is doing raw SMTP. IIRC, SMTP requires a separate RCPT command be sent to the server for each recipient. I don't believe multiple recipients are specified in a single comma-separated list passed to one RCPT command.

Looking at the nodemailer docs, I see where the to field of the configuration passed to sendMail() says it accepts a comma-separated list of addresses. Presumably, the library handles breaking up the comma-separated list into multiple RCPT commands when it communicates with an SMTP server.

I'm going to assume going forward that it's the nodemailer API that's what you're concerned about regarding the need to escape commas.

I don't think there's a limit to this, so a maliciously crafted parameter could trick the server into sending a registration email to hundreds of people using just a single request.

Since a comma is not a valid character in an SMTP address per RFC 5322, could we not simply just validate the incoming address to ensure it is valid before sending the registration email? That is, we basically guarantee that no comma-separated list is ever passed in the to field of the sendMail() configuration.

from dice-server-js.

That's exactly what I meant.
I wasn't sure about the comma thing probably because it is a valid character if put in quotes put before the actual email as display name, probably what confused me.

from dice-server-js.