msg358544 - (view) |
Author: Jasper Spaans (jap) * |
Date: 2019-12-17 12:46 |
big-bob:t spaans$ cat fak.py
import sys
from email.message import EmailMessage
from email.policy import SMTP
from email.headerregistry import Address
msg = EmailMessage(policy=SMTP)
a = Address(display_name='Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>\r\nX:', addr_spec='evil@local')
msg['To'] = a
print(sys.version)
print(msg.as_string())
big-bob:t spaans$ python3.5 fak.py
3.5.2 (default, Jul 16 2019, 13:40:43)
[GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)]
To: "Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>
X:" <evil@local>
big-bob:t spaans$ python3.8 fak.py
3.8.0 (default, Dec 17 2019, 13:32:18)
[Clang 11.0.0 (clang-1100.0.33.16)]
To: Extra Extra Read All About It This Line Does Not Fit In 80 Characters So
Should Be Wrapped <dev@local>
X: <evil@local>
|
msg358545 - (view) |
Author: Jasper Spaans (jap) * |
Date: 2019-12-17 12:50 |
As can be seen above, 3.5 wraps the realname in a double quote, but 3.8 fails to do so. Note that 3.5 also does not add a whitespace in front of the line starting with "X:", so it is also not merged with the previous line when parsing.
I guess we'll have to disallow \r and \n in displaynames for now.
|
msg358572 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2019-12-17 20:24 |
Hmm. Yes, \r\n should be disallowed in the arguments to Address. I thought it already was, so that's a bug. That bug produces the other apparent bug as well: because the X: was treated as a separate line, the previous header did not need double quotes so they are no longer added.
So there's no 3.8 specific bug here, but there is a bug.
|
msg364273 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2020-03-16 01:00 |
Thanks for the PR. I've made some review comments.
|
msg365287 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2020-03-30 00:38 |
New changeset 614f17211c5fc0e5b828be1d3320661d1038fe8f by Ashwin Ramaswami in branch 'master':
bpo-39073: validate Address parts to disallow CRLF (#19007)
https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f
|
msg365288 - (view) |
Author: R. David Murray (r.david.murray) * |
Date: 2020-03-30 00:40 |
Thanks!
|
msg369659 - (view) |
Author: Cheryl Sabella (cheryl.sabella) * |
Date: 2020-05-22 22:20 |
There are 3 open PRs for the backport of this to 3.6, 3.7, and 3.8. It looks like they just need to be approved and miss-islington will take care of the rest.
|
msg370076 - (view) |
Author: miss-islington (miss-islington) |
Date: 2020-05-27 13:37 |
New changeset 75635c6095bcfbb9fccc239115d3d03ae20a307f by Miss Islington (bot) in branch '3.8':
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f
|
msg370077 - (view) |
Author: miss-islington (miss-islington) |
Date: 2020-05-27 13:38 |
New changeset a93bf82980d7c02217a088bafa193f32a4d13abb by Miss Islington (bot) in branch '3.7':
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb
|
msg370080 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2020-05-27 13:48 |
I created PR 20450: backport to 3.5, since it's a security fix.
|
msg370081 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2020-05-27 13:49 |
FYI I created https://python-security.readthedocs.io/vuln/email-address-header-injection.html to track fixes of this vulnerability.
|
msg370151 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2020-05-27 23:17 |
New changeset 7df32f844efed33ca781a016017eab7050263b90 by Miss Islington (bot) in branch '3.6':
bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90
|
msg371386 - (view) |
Author: Larry Hastings (larry) * |
Date: 2020-06-12 15:33 |
New changeset f91a0b6df14d6c5133fe3d5889fad7d84fc0c046 by Victor Stinner in branch '3.5':
bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450)
https://github.com/python/cpython/commit/f91a0b6df14d6c5133fe3d5889fad7d84fc0c046
|
msg373948 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2020-07-19 09:42 |
Merged for release in 3.9.0a6, 3.8.4, 3.7.8, 3.6.11, and 3.5.10.
|
|
Date |
User |
Action |
Args |
2022-04-11 14:59:24 | admin | set | github: 83254 |
2020-07-19 09:42:15 | ned.deily | set | status: open -> closed resolution: fixed messages:
+ msg373948
stage: patch review -> resolved |
2020-06-12 15:33:26 | larry | set | nosy:
+ larry messages:
+ msg371386
|
2020-05-27 23:17:58 | ned.deily | set | nosy:
+ ned.deily messages:
+ msg370151
|
2020-05-27 13:49:40 | vstinner | set | title: email incorrect handling of crlf in Address objects. -> [security] email module incorrect handling of CR and LF newline characters in Address objects. |
2020-05-27 13:49:21 | vstinner | set | messages:
+ msg370081 |
2020-05-27 13:48:27 | vstinner | set | messages:
+ msg370080 versions:
+ Python 3.5, Python 3.6, Python 3.7, Python 3.9, Python 3.10 |
2020-05-27 13:47:46 | vstinner | set | nosy:
+ vstinner
pull_requests:
+ pull_request19704 stage: backport needed -> patch review |
2020-05-27 13:38:18 | miss-islington | set | messages:
+ msg370077 |
2020-05-27 13:37:47 | miss-islington | set | messages:
+ msg370076 |
2020-05-22 22:20:39 | cheryl.sabella | set | nosy:
+ cheryl.sabella messages:
+ msg369659
|
2020-03-30 00:40:26 | r.david.murray | set | stage: patch review -> backport needed |
2020-03-30 00:40:01 | r.david.murray | set | messages:
+ msg365288 |
2020-03-30 00:39:30 | miss-islington | set | pull_requests:
+ pull_request18586 |
2020-03-30 00:39:21 | miss-islington | set | pull_requests:
+ pull_request18585 |
2020-03-30 00:39:12 | miss-islington | set | nosy:
+ miss-islington pull_requests:
+ pull_request18584
|
2020-03-30 00:38:47 | r.david.murray | set | messages:
+ msg365287 |
2020-03-16 01:00:29 | r.david.murray | set | messages:
+ msg364273 |
2020-03-15 01:28:02 | epicfaace | set | keywords:
+ patch nosy:
+ epicfaace
pull_requests:
+ pull_request18352 stage: patch review |
2019-12-17 20:24:21 | r.david.murray | set | messages:
+ msg358572 title: email regression in 3.8: folding -> email incorrect handling of crlf in Address objects. |
2019-12-17 12:50:18 | jap | set | messages:
+ msg358545 |
2019-12-17 12:46:43 | jap | create | |