Message342466
Not a security issue, no. This isn't C where a stack overflow can give an attacker a vector for injecting arbitrary code.
Per the Parser contract ("raise no exceptions, only register defects"), this should, as you say, register a defect (email.errors.InvalidMultipartContentTransferEncodingDefect) and assume a CTE of 7bit for the rest of the parsing. The problem here is that the feedparser is running into the "hack" I put in place in python3.2 for dealing with invalid binary data in headers (which is to turn it into a Header with charset unknown-8bit). That works most of the time, but in cases like this it breaks down :(
Note that the new API (policy=default and friends) handles this without error. |
|
Date |
User |
Action |
Args |
2019-05-14 14:34:28 | r.david.murray | set | recipients:
+ r.david.murray, barry, msapiro, matrixise |
2019-05-14 14:34:28 | r.david.murray | set | messageid: <1557844468.91.0.568603737918.issue36910@roundup.psfhosted.org> |
2019-05-14 14:34:28 | r.david.murray | link | issue36910 messages |
2019-05-14 14:34:28 | r.david.murray | create | |
|