Author r.david.murray
Recipients Arfrever, barry, jwilk, loewis, pl, r.david.murray, terry.reedy, vvl, ysj.ray
Date 2011-01-10.21:32:34
SpamBayes Score 0.000313248
Marked as misclassified No
Message-id <1294695156.48.0.277466261683.issue5871@psf.upfronthosting.co.za>
In-reply-to
Content
Well, imagine a web form that has a 'subject' text entry field, and the application does Message['Subject'] = subject_from_form as it builds a Message to hand off to smtp.sendmail.  If the application didn't sanitize the subject for newlines (and as a programmer I doubt I would have thought of doing that), then we can have header injection.  So, yes, it is analogous to an sql injection attack.

Since we don't have a report of an exploit, I'm fine with not backporting it.
History
Date User Action Args
2011-01-10 21:32:36r.david.murraysetrecipients: + r.david.murray, loewis, barry, terry.reedy, jwilk, pl, Arfrever, ysj.ray, vvl
2011-01-10 21:32:36r.david.murraysetmessageid: <1294695156.48.0.277466261683.issue5871@psf.upfronthosting.co.za>
2011-01-10 21:32:34r.david.murraylinkissue5871 messages
2011-01-10 21:32:34r.david.murraycreate