Message125932
Well, imagine a web form that has a 'subject' text entry field, and the application does Message['Subject'] = subject_from_form as it builds a Message to hand off to smtp.sendmail. If the application didn't sanitize the subject for newlines (and as a programmer I doubt I would have thought of doing that), then we can have header injection. So, yes, it is analogous to an sql injection attack.
Since we don't have a report of an exploit, I'm fine with not backporting it. |
|
Date |
User |
Action |
Args |
2011-01-10 21:32:36 | r.david.murray | set | recipients:
+ r.david.murray, loewis, barry, terry.reedy, jwilk, pl, Arfrever, ysj.ray, vvl |
2011-01-10 21:32:36 | r.david.murray | set | messageid: <1294695156.48.0.277466261683.issue5871@psf.upfronthosting.co.za> |
2011-01-10 21:32:34 | r.david.murray | link | issue5871 messages |
2011-01-10 21:32:34 | r.david.murray | create | |
|