Email Injection in Django with Basic Auth
Email Injection in Django with Basic Auth — how this specific combination creates or exposes the vulnerability
Email injection in Django applications using HTTP Basic Authentication can occur when user-controlled input is passed into email-related functions without proper validation or escaping. In this combination, authentication is performed via the Authorization header using Base64-encoded username:password pairs. While Basic Auth itself does not directly process email, developers often use authenticated user data—such as the username or email claim—to construct email headers, templates, or logs. If these values are concatenated into email addresses, display names, or message bodies without sanitization, attackers can inject additional email header lines (e.g., CC, BCC, Reply-To) or break out of the intended header context.
For example, consider a view that sends a notification email using the authenticated user’s username in the Reply-To header:
from django.http import HttpResponse
from django.contrib.auth.decorators import login_required
import smtplib
from email.mime.text import MIMEText
@login_required
def notify(request):
user_email = request.user.email
username = request.user.username # could be attacker-controlled via registration or profile update
msg = MIMEText('Here is your report.')
msg['Subject'] = 'Report'
msg['From'] = '[email protected]'
msg['To'] = user_email
msg['Reply-To'] = f'{username} <{user_email}>' # vulnerable if username contains newline or special chars
with smtplib.SMTP('localhost') as server:
server.send_message(msg)
return HttpResponse('Sent')
If an attacker registers or updates a profile with a username such as [email protected]\r\nCC: [email protected], the resulting email header can be manipulated to send copies to unintended recipients. This happens because the newline characters (CRLF) are not stripped or encoded, and the email library treats them as header separators. Django’s built-in user model does not inherently validate newline characters in username or email fields, so the application must enforce strict input validation when these values are used in email contexts.
Basic Auth does not mitigate this risk; it only provides a transport-layer identity mechanism. The vulnerability arises from insecure handling of identity data after authentication. Attackers may also probe unauthenticated endpoints using automated tools like middleBrick, which runs 12 parallel security checks including Input Validation and Unsafe Consumption to detect header injection patterns. Even without authenticated sessions, scanners can identify endpoints that reflect user input into email headers and surface findings with severity and remediation guidance.
Real-world email injection patterns align with the OWASP API Top 10 and broader web security concerns around data exposure and header manipulation. For instance, CVE-2021-29601 documents similar injection flaws in web frameworks where user data is improperly confined to email header values. In Django, developers should treat any user-controlled string that reaches email headers as untrusted, applying canonicalization and strict allow-listing before use.
Basic Auth-Specific Remediation in Django — concrete code fixes
To prevent email injection when using Basic Auth in Django, sanitize and validate any user-derived data before incorporating it into email headers. The safest approach is to avoid placing raw usernames or emails in headers that support multiple lines or structured fields. Use explicit allow-listing for email addresses and encode display names to remove or neutralize control characters.
Below is a secure example that validates the email format and ensures the display name contains no newline or carriage-return characters:
import re
from django.http import HttpResponse
from django.contrib.auth.decorators import login_required
import smtplib
from email.mime.text import MIMEText
from django.core.exceptions import ValidationError
from django.core.validators import validate_email
EMAIL_REGEX = re.compile(r'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$')
def sanitize_display_name(name: str) -> str:
# Remove CR and LF characters to prevent header injection
return name.replace('\r', '').replace('\n', '').strip()
@login_required
def notify(request):
user_email = request.user.email
# Validate stored email; reject if malformed
try:
validate_email(user_email)
except ValidationError:
return HttpResponse('Invalid email', status=400)
# Ensure email matches expected pattern
if not EMAIL_REGEX.match(user_email):
return HttpResponse('Email format not allowed', status=400)
username = sanitize_display_name(request.user.username)
msg = MIMEText('Here is your report.')
msg['Subject'] = 'Report'
msg['From'] = '[email protected]'
msg['To'] = user_email
# Safe: display name is sanitized and email is validated
msg['Reply-To'] = f'{username} <{user_email}>'
with smtplib.SMTP('localhost') as server:
server.send_message(msg)
return HttpResponse('Sent')
Additional measures include configuring Django’s AUTH_USER_MODEL to restrict username characters at the model level and using form validation to reject newline characters during registration or profile updates. For example, override the clean_username method in your user form:
from django import forms
from django.contrib.auth import get_user_model
User = get_user_model()
class UserProfileForm(forms.ModelForm):
class Meta:
model = User
fields = ['username', 'email']
def clean_username(self):
username = self.cleaned_data['username']
if '\n' in username or '\r' in username:
raise forms.ValidationError('Username cannot contain newline characters.')
return username
If you use the middleBrick CLI to scan your endpoints, commands like middlebrick scan <url> can be integrated into testing workflows to verify that unauthenticated probes do not expose header-injection risks. For teams requiring deeper assurance, the Pro plan supports continuous monitoring and CI/CD integration, allowing scans to be triggered on schedule or during pull requests to catch regressions before deployment.