Author vstinner
Recipients barry, maxking, ned.deily, r.david.murray, rad164, vstinner, xtreak
Date 2019-06-18.08:31:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1560846685.57.0.322334107487.issue33529@roundup.psfhosted.org>
In-reply-to
Content
Using git bisect, I found which commit introduced the regression, bpo-27240:

commit a87ba60fe56ae2ebe80ab9ada6d280a6a1f3d552
Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date:   Sun Dec 3 16:46:23 2017 -0800

    bpo-27240 Rewrite the email header folding algorithm. (GH-3488) (#4693)
    
    The original algorithm tried to delegate the folding to the tokens so
    that those tokens whose folding rules differed could specify the
    differences.  However, this resulted in a lot of duplicated code because
    most of the rules were the same.
    
    The new algorithm moves all folding logic into a set of functions
    external to the token classes, but puts the information about which
    tokens can be folded in which ways on the tokens...with the exception of
    mime-parameters, which are a special case (which was not even
    implemented in the old folder).
    
    This algorithm can still probably be improved and hopefully simplified
    somewhat.
    
    Note that some of the test expectations are changed.  I believe the
    changes are toward more desirable and consistent behavior: in general
    when (re) folding a line the canonical version of the tokens is
    generated, rather than preserving errors or extra whitespace.
    (cherry picked from commit 85d5c18c9d83a1d54eecc4c2ad4dce63194107c6)

The first vulnerable release is Python 3.6.4: Python 3.6.3 and older are not affected by this vulnerability. So yes, I confirm that Python 2.7 and 3.5 are not vulnerable. By the way, a backport to 3.5 was requested but rejected :-)
https://bugs.python.org/issue27240#msg330030

I close the issue. Thanks Rad164 for the report and thanks Krzysztof Wojcik fo the fix!
History
Date User Action Args
2019-06-18 08:31:25vstinnersetrecipients: + vstinner, barry, ned.deily, r.david.murray, maxking, rad164, xtreak
2019-06-18 08:31:25vstinnersetmessageid: <1560846685.57.0.322334107487.issue33529@roundup.psfhosted.org>
2019-06-18 08:31:25vstinnerlinkissue33529 messages
2019-06-18 08:31:25vstinnercreate