Message 125932 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	r.david.murray
Recipients	Arfrever, barry, jwilk, loewis, pl, r.david.murray, terry.reedy, vvl, ysj.ray
Date	2011-01-10.21:32:34
SpamBayes Score	0.00031324802
Marked as misclassified	No
Message-id	<1294695156.48.0.277466261683.issue5871@psf.upfronthosting.co.za>
In-reply-to

Content
Well, imagine a web form that has a 'subject' text entry field, and the application does Message['Subject'] = subject_from_form as it builds a Message to hand off to smtp.sendmail. If the application didn't sanitize the subject for newlines (and as a programmer I doubt I would have thought of doing that), then we can have header injection. So, yes, it is analogous to an sql injection attack. Since we don't have a report of an exploit, I'm fine with not backporting it.

Well, imagine a web form that has a 'subject' text entry field, and the application does Message['Subject'] = subject_from_form as it builds a Message to hand off to smtp.sendmail.  If the application didn't sanitize the subject for newlines (and as a programmer I doubt I would have thought of doing that), then we can have header injection.  So, yes, it is analogous to an sql injection attack.

Since we don't have a report of an exploit, I'm fine with not backporting it.

History
Date	User	Action	Args
2011-01-10 21:32:36	r.david.murray	set	recipients: + r.david.murray, loewis, barry, terry.reedy, jwilk, pl, Arfrever, ysj.ray, vvl
2011-01-10 21:32:36	r.david.murray	set	messageid: <1294695156.48.0.277466261683.issue5871@psf.upfronthosting.co.za>
2011-01-10 21:32:34	r.david.murray	link	issue5871 messages
2011-01-10 21:32:34	r.david.murray	create