Message 342415 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	msapiro
Recipients	barry, msapiro, r.david.murray
Date	2019-05-14.01:48:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1557798519.08.0.310106320232.issue36910@roundup.psfhosted.org>
In-reply-to

Content
The code in the attached parse_bug.py file when run with Python 3.5, 3.6 or 3.7 throws AttributeError with this traceback: ``` Traceback (most recent call last): File "parse_bug.py", line 9, in <module> """) File "/usr/local/lib/python3.7/email/parser.py", line 124, in parsebytes return self.parser.parsestr(text, headersonly) File "/usr/local/lib/python3.7/email/parser.py", line 68, in parsestr return self.parse(StringIO(text), headersonly=headersonly) File "/usr/local/lib/python3.7/email/parser.py", line 58, in parse return feedparser.close() File "/usr/local/lib/python3.7/email/feedparser.py", line 187, in close self._call_parse() File "/usr/local/lib/python3.7/email/feedparser.py", line 180, in _call_parse self._parse() File "/usr/local/lib/python3.7/email/feedparser.py", line 323, in _parsegen if (self._cur.get('content-transfer-encoding', '8bit').lower() AttributeError: 'Header' object has no attribute 'lower' ``` The triggering condition appears to be the Content-Transfer-Encoding: header with a non-ascii character in the headers of a multipart part. The parser should probably throw email.errors.HeaderParseError with a MalformedHeaderDefect in this case rather than AttributeError. While arguably code should defend against unanticipated exceptions, the fact that such an exception can be thrown while parsing an arbitrary message could be considered a security issue.

The code in the attached parse_bug.py file when run with Python 3.5, 3.6 or 3.7 throws AttributeError with this traceback:

```
Traceback (most recent call last):
  File "parse_bug.py", line 9, in <module>
    """)
  File "/usr/local/lib/python3.7/email/parser.py", line 124, in parsebytes
    return self.parser.parsestr(text, headersonly)
  File "/usr/local/lib/python3.7/email/parser.py", line 68, in parsestr
    return self.parse(StringIO(text), headersonly=headersonly)
  File "/usr/local/lib/python3.7/email/parser.py", line 58, in parse
    return feedparser.close()
  File "/usr/local/lib/python3.7/email/feedparser.py", line 187, in close
    self._call_parse()
  File "/usr/local/lib/python3.7/email/feedparser.py", line 180, in _call_parse
    self._parse()
  File "/usr/local/lib/python3.7/email/feedparser.py", line 323, in _parsegen
    if (self._cur.get('content-transfer-encoding', '8bit').lower()
AttributeError: 'Header' object has no attribute 'lower'
```

The triggering condition appears to be the Content-Transfer-Encoding: header with a non-ascii character in the headers of a multipart part.

The parser should probably throw email.errors.HeaderParseError with a MalformedHeaderDefect in this case rather than AttributeError.

While arguably code should defend against unanticipated exceptions, the fact that such an exception can be thrown while parsing an arbitrary message could be considered a security issue.

History
Date	User	Action	Args
2019-05-14 01:48:39	msapiro	set	recipients: + msapiro, barry, r.david.murray
2019-05-14 01:48:39	msapiro	set	messageid: <1557798519.08.0.310106320232.issue36910@roundup.psfhosted.org>
2019-05-14 01:48:39	msapiro	link	issue36910 messages
2019-05-14 01:48:38	msapiro	create