Message 345960 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	barry, maxking, ned.deily, r.david.murray, rad164, vstinner, xtreak
Date	2019-06-18.08:31:25
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1560846685.57.0.322334107487.issue33529@roundup.psfhosted.org>
In-reply-to

Content
Using git bisect, I found which commit introduced the regression, bpo-27240: commit a87ba60fe56ae2ebe80ab9ada6d280a6a1f3d552 Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Sun Dec 3 16:46:23 2017 -0800 bpo-27240 Rewrite the email header folding algorithm. (GH-3488) (#4693) The original algorithm tried to delegate the folding to the tokens so that those tokens whose folding rules differed could specify the differences. However, this resulted in a lot of duplicated code because most of the rules were the same. The new algorithm moves all folding logic into a set of functions external to the token classes, but puts the information about which tokens can be folded in which ways on the tokens...with the exception of mime-parameters, which are a special case (which was not even implemented in the old folder). This algorithm can still probably be improved and hopefully simplified somewhat. Note that some of the test expectations are changed. I believe the changes are toward more desirable and consistent behavior: in general when (re) folding a line the canonical version of the tokens is generated, rather than preserving errors or extra whitespace. (cherry picked from commit 85d5c18c9d83a1d54eecc4c2ad4dce63194107c6) The first vulnerable release is Python 3.6.4: Python 3.6.3 and older are not affected by this vulnerability. So yes, I confirm that Python 2.7 and 3.5 are not vulnerable. By the way, a backport to 3.5 was requested but rejected :-) https://bugs.python.org/issue27240#msg330030 I close the issue. Thanks Rad164 for the report and thanks Krzysztof Wojcik fo the fix!

Using git bisect, I found which commit introduced the regression, bpo-27240:

commit a87ba60fe56ae2ebe80ab9ada6d280a6a1f3d552
Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date:   Sun Dec 3 16:46:23 2017 -0800

    bpo-27240 Rewrite the email header folding algorithm. (GH-3488) (#4693)
    
    The original algorithm tried to delegate the folding to the tokens so
    that those tokens whose folding rules differed could specify the
    differences.  However, this resulted in a lot of duplicated code because
    most of the rules were the same.
    
    The new algorithm moves all folding logic into a set of functions
    external to the token classes, but puts the information about which
    tokens can be folded in which ways on the tokens...with the exception of
    mime-parameters, which are a special case (which was not even
    implemented in the old folder).
    
    This algorithm can still probably be improved and hopefully simplified
    somewhat.
    
    Note that some of the test expectations are changed.  I believe the
    changes are toward more desirable and consistent behavior: in general
    when (re) folding a line the canonical version of the tokens is
    generated, rather than preserving errors or extra whitespace.
    (cherry picked from commit 85d5c18c9d83a1d54eecc4c2ad4dce63194107c6)

The first vulnerable release is Python 3.6.4: Python 3.6.3 and older are not affected by this vulnerability. So yes, I confirm that Python 2.7 and 3.5 are not vulnerable. By the way, a backport to 3.5 was requested but rejected :-)
https://bugs.python.org/issue27240#msg330030

I close the issue. Thanks Rad164 for the report and thanks Krzysztof Wojcik fo the fix!

History
Date	User	Action	Args
2019-06-18 08:31:25	vstinner	set	recipients: + vstinner, barry, ned.deily, r.david.murray, maxking, rad164, xtreak
2019-06-18 08:31:25	vstinner	set	messageid: <1560846685.57.0.322334107487.issue33529@roundup.psfhosted.org>
2019-06-18 08:31:25	vstinner	link	issue33529 messages
2019-06-18 08:31:25	vstinner	create