classification
Title: [security] email module incorrect handling of CR and LF newline characters in Address objects.
Type: security Stage: patch review
Components: email Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: barry, cheryl.sabella, epicfaace, jap, larry, miss-islington, ned.deily, r.david.murray, vstinner
Priority: normal Keywords: patch

Created on 2019-12-17 12:46 by jap, last changed 2020-06-12 15:33 by larry.

Pull Requests
URL Status Linked Edit
PR 19007 merged epicfaace, 2020-03-15 01:28
PR 19222 merged miss-islington, 2020-03-30 00:39
PR 19223 merged miss-islington, 2020-03-30 00:39
PR 19224 merged miss-islington, 2020-03-30 00:39
PR 20450 merged vstinner, 2020-05-27 13:47
Messages (13)
msg358544 - (view) Author: Jasper Spaans (jap) * Date: 2019-12-17 12:46
big-bob:t spaans$ cat fak.py
import sys

from email.message import EmailMessage
from email.policy import SMTP
from email.headerregistry import Address

msg = EmailMessage(policy=SMTP)

a = Address(display_name='Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>\r\nX:', addr_spec='evil@local')
msg['To'] = a
print(sys.version)
print(msg.as_string())
big-bob:t spaans$ python3.5 fak.py
3.5.2 (default, Jul 16 2019, 13:40:43) 
[GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)]
To: "Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>
X:" <evil@local>


big-bob:t spaans$ python3.8 fak.py
3.8.0 (default, Dec 17 2019, 13:32:18) 
[Clang 11.0.0 (clang-1100.0.33.16)]
To: Extra Extra Read All About It This Line Does Not Fit In 80 Characters So
 Should Be Wrapped <dev@local>
X: <evil@local>
msg358545 - (view) Author: Jasper Spaans (jap) * Date: 2019-12-17 12:50
As can be seen above, 3.5 wraps the realname in a double quote, but 3.8 fails to do so. Note that 3.5 also does not add a whitespace in front of the line starting with "X:", so it is also not merged with the previous line when parsing.

I guess we'll have to disallow \r and \n in displaynames for now.
msg358572 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2019-12-17 20:24
Hmm.  Yes, \r\n should be disallowed in the arguments to Address.  I thought it already was, so that's a bug.  That bug produces the other apparent bug as well: because the X: was treated as a separate line, the previous header did not need double quotes so they are no longer added.

So there's no 3.8 specific bug here, but there is a bug.
msg364273 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2020-03-16 01:00
Thanks for the PR.  I've made some review comments.
msg365287 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2020-03-30 00:38
New changeset 614f17211c5fc0e5b828be1d3320661d1038fe8f by Ashwin Ramaswami in branch 'master':
bpo-39073: validate Address parts to disallow CRLF (#19007)
https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f
msg365288 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2020-03-30 00:40
Thanks!
msg369659 - (view) Author: Cheryl Sabella (cheryl.sabella) * (Python committer) Date: 2020-05-22 22:20
There are 3 open PRs for the backport of this to 3.6, 3.7, and 3.8.  It looks like they just need to be approved and miss-islington will take care of the rest.
msg370076 - (view) Author: miss-islington (miss-islington) Date: 2020-05-27 13:37
New changeset 75635c6095bcfbb9fccc239115d3d03ae20a307f by Miss Islington (bot) in branch '3.8':
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f
msg370077 - (view) Author: miss-islington (miss-islington) Date: 2020-05-27 13:38
New changeset a93bf82980d7c02217a088bafa193f32a4d13abb by Miss Islington (bot) in branch '3.7':
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb
msg370080 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-05-27 13:48
I created PR 20450: backport to 3.5, since it's a security fix.
msg370081 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-05-27 13:49
FYI I created https://python-security.readthedocs.io/vuln/email-address-header-injection.html to track fixes of this vulnerability.
msg370151 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-05-27 23:17
New changeset 7df32f844efed33ca781a016017eab7050263b90 by Miss Islington (bot) in branch '3.6':
bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90
msg371386 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2020-06-12 15:33
New changeset f91a0b6df14d6c5133fe3d5889fad7d84fc0c046 by Victor Stinner in branch '3.5':
bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450)
https://github.com/python/cpython/commit/f91a0b6df14d6c5133fe3d5889fad7d84fc0c046
History
Date User Action Args
2020-06-12 15:33:26larrysetnosy: + larry
messages: + msg371386
2020-05-27 23:17:58ned.deilysetnosy: + ned.deily
messages: + msg370151
2020-05-27 13:49:40vstinnersettitle: email incorrect handling of crlf in Address objects. -> [security] email module incorrect handling of CR and LF newline characters in Address objects.
2020-05-27 13:49:21vstinnersetmessages: + msg370081
2020-05-27 13:48:27vstinnersetmessages: + msg370080
versions: + Python 3.5, Python 3.6, Python 3.7, Python 3.9, Python 3.10
2020-05-27 13:47:46vstinnersetnosy: + vstinner

pull_requests: + pull_request19704
stage: backport needed -> patch review
2020-05-27 13:38:18miss-islingtonsetmessages: + msg370077
2020-05-27 13:37:47miss-islingtonsetmessages: + msg370076
2020-05-22 22:20:39cheryl.sabellasetnosy: + cheryl.sabella
messages: + msg369659
2020-03-30 00:40:26r.david.murraysetstage: patch review -> backport needed
2020-03-30 00:40:01r.david.murraysetmessages: + msg365288
2020-03-30 00:39:30miss-islingtonsetpull_requests: + pull_request18586
2020-03-30 00:39:21miss-islingtonsetpull_requests: + pull_request18585
2020-03-30 00:39:12miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request18584
2020-03-30 00:38:47r.david.murraysetmessages: + msg365287
2020-03-16 01:00:29r.david.murraysetmessages: + msg364273
2020-03-15 01:28:02epicfaacesetkeywords: + patch
nosy: + epicfaace

pull_requests: + pull_request18352
stage: patch review
2019-12-17 20:24:21r.david.murraysetmessages: + msg358572
title: email regression in 3.8: folding -> email incorrect handling of crlf in Address objects.
2019-12-17 12:50:18japsetmessages: + msg358545
2019-12-17 12:46:43japcreate