This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: email.message.get_payload should enforce correct encoding
Type: security Stage: resolved
Components: Versions:
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: droz, r.david.murray
Priority: normal Keywords:

Created on 2018-07-12 18:25 by droz, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (2)
msg321574 - (view) Author: Serge Droz (droz) Date: 2018-07-12 18:25
The issue is really this:
https://noxxi.de/research/mime-5-easy-steps-to-bypass-av.html

get_payload should with decode=Treu should check the validity of the syntax and throw an error if it is not. This would happen if the underlying call to base64.decode would be called with validate=True
msg321579 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2018-07-12 19:54
It looks like the virus checkers are not doing robust decoding that the email RFCs recommend, and that thunderbird is.  This is obviously a bug in the virus scanners.  By default, like thunderbird, the email library does its best to decode attachments.  If you want your application to reject such attachments, then in python3 you can check for defects after doing the get_payload, or you can set the policy to 'strict' (that is, raise_on_defect=True) when parsing the email.
History
Date User Action Args
2022-04-11 14:59:03adminsetgithub: 78285
2018-07-12 19:54:35r.david.murraysetstatus: open -> closed

nosy: + r.david.murray
messages: + msg321579

resolution: out of date
stage: resolved
2018-07-12 18:25:32drozsettype: security
2018-07-12 18:25:22drozcreate