The following will hang, and consume a large amount of memory:

from email.parser import BytesParser, Parser
from email.policy import default
payload = "".join(chr(c) for c in [0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x78, 0x3b, 0x61, 0x72, 0x1b, 0x2a, 0x3d, 0x22, 0x73, 0x4f, 0x27, 0x23, 0x61, 0xff, 0xff, 0x27, 0x5c, 0x22])
Parser(policy=default).parsestr(payload)

Sounds like there is an infinite loop here:


```
Pdb) 
> /usr/lib/python3.7/email/_header_value_parser.py(2370)get_parameter()
-> v.append(token)
(Pdb) 
> /usr/lib/python3.7/email/_header_value_parser.py(2365)get_parameter()
-> while value:
```

the ```v.append(token)``` is just growing with ```ValueTerminal(''), ValueTerminal(''), ValueTerminal('')...```

I'd be happy to try to fix this.

Since the parser could take user input this looks like a security issue to me along with high CPU usage. Feel free to remove the tag if it's not a security issue. Thanks.

I'm terribly sorry, but I feel I won't be able to fix this issue. Sorry for fuss. Closing my PR, because it's broken.

>>> bytes([0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x78, 0x3b, 0x61, 0x72, 0x1b, 0x2a, 0x3d, 0x22, 0x73, 0x4f, 0x27, 0x23, 0x61, 0xff, 0xff, 0x27, 0x5c, 0x22])
b'Content-Type:x;ar\x1b*="sO\'#a\xff\xff\'\\"'

The following loop of Lib/email/_header_value_parser.py does never stop:

def get_parameter(value):
    """ attribute [section] ["*"] [CFWS] "=" value

    The CFWS is implied by the RFC but not made explicit in the BNF.  This
    simplified form of the BNF from the RFC is made to conform with the RFC BNF
    through some extra checks.  We do it this way because it makes both error
    recovery and working with the resulting parse tree easier.
    """
    ...
    if remainder is not None:
        ...
        while value:
            ...

Attached reproducer.py is code from initial msg346953.

reproducer2.py simplify the input and calls directly get_parameter(). Simplified input string:

   r*="'a'\"

I have proposed a PR for this: https://github.com/python/cpython/pull/14794

Reviews are welcome.

I used fuzzing to find this bug. After applying your patch, the infinite loop is gone and it cannot find any other bugs of this nature.

New changeset a4a994bd3e619cbaff97610a1cee8ffa87c672f5 by Barry Warsaw (Abhilash Raj) in branch 'master':
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
https://github.com/python/cpython/commit/a4a994bd3e619cbaff97610a1cee8ffa87c672f5

New changeset 391511ccaaf0050970dfbe95bf2df1bcf6c33440 by Miss Islington (bot) in branch '3.7':
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
https://github.com/python/cpython/commit/391511ccaaf0050970dfbe95bf2df1bcf6c33440

New changeset 6816ca30af7705db691343100e696ea3d8f447d5 by Miss Islington (bot) in branch '3.8':
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
https://github.com/python/cpython/commit/6816ca30af7705db691343100e696ea3d8f447d5

3.5 also seems to be affected. git cherry pick works and the patch fixes the problem so I assume the backport would be straightforward. Since 3.5 is open for security fixes with 3.5.8 as next release I am adding Larry.

$ git cherry-pick a4a994b
Performing inexact rename detection: 100% (566740/566740), done.
[detached HEAD 9877e9283c] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
 Author: Abhilash Raj <maxking@users.noreply.github.com>
 Date: Wed Jul 17 09:44:27 2019 -0700
 3 files changed, 12 insertions(+)
 create mode 100644 bpo-37461.1Ahz7O.rst">Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst

New changeset 1789bbdd3e03023951a39933ef12dee0a03be616 by Ned Deily (Miss Islington (bot)) in branch '3.6':
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817)
https://github.com/python/cpython/commit/1789bbdd3e03023951a39933ef12dee0a03be616

New changeset 799e4e527019d9429fdef12d08a0c03b08a1fb59 by Ned Deily (GeeTransit) in branch '3.7':
[3.7] bpo-37461: Fix typo (inifite -> infinite) (GH-15430)
https://github.com/python/cpython/commit/799e4e527019d9429fdef12d08a0c03b08a1fb59

New changeset f1f9c0c532089824791cfc18e6d6f29e1cd62596 by Ned Deily (GeeTransit) in branch '3.6':
[3.6] bpo-37461: Fix typo (inifite -> infinite) (#15432)
https://github.com/python/cpython/commit/f1f9c0c532089824791cfc18e6d6f29e1cd62596

xtreak, would you be willing to make the PR for 3.5?  That will make it easier for Larry to decide whether to include it in a 3.5 security release.

I manually created a backport PR for 3.5 and added Larry as a reviewer.

https://github.com/python/cpython/pull/15446

New changeset c28e4a5160d3283b12514c7c28ed6e0a2a52271a by larryhastings (Abhilash Raj) in branch '3.5':
[3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (#15446)
https://github.com/python/cpython/commit/c28e4a5160d3283b12514c7c28ed6e0a2a52271a

This seems complete, can it be closed?

Thanks everyone for the fixes; I think this bug is now resolved.  Closing.