This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients barry, maxking, ned.deily, r.david.murray, rad164, vstinner, xtreak
Date 2019-06-18.08:31:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Using git bisect, I found which commit introduced the regression, bpo-27240:

commit a87ba60fe56ae2ebe80ab9ada6d280a6a1f3d552
Author: Miss Islington (bot) <>
Date:   Sun Dec 3 16:46:23 2017 -0800

    bpo-27240 Rewrite the email header folding algorithm. (GH-3488) (#4693)
    The original algorithm tried to delegate the folding to the tokens so
    that those tokens whose folding rules differed could specify the
    differences.  However, this resulted in a lot of duplicated code because
    most of the rules were the same.
    The new algorithm moves all folding logic into a set of functions
    external to the token classes, but puts the information about which
    tokens can be folded in which ways on the tokens...with the exception of
    mime-parameters, which are a special case (which was not even
    implemented in the old folder).
    This algorithm can still probably be improved and hopefully simplified
    Note that some of the test expectations are changed.  I believe the
    changes are toward more desirable and consistent behavior: in general
    when (re) folding a line the canonical version of the tokens is
    generated, rather than preserving errors or extra whitespace.
    (cherry picked from commit 85d5c18c9d83a1d54eecc4c2ad4dce63194107c6)

The first vulnerable release is Python 3.6.4: Python 3.6.3 and older are not affected by this vulnerability. So yes, I confirm that Python 2.7 and 3.5 are not vulnerable. By the way, a backport to 3.5 was requested but rejected :-)

I close the issue. Thanks Rad164 for the report and thanks Krzysztof Wojcik fo the fix!
Date User Action Args
2019-06-18 08:31:25vstinnersetrecipients: + vstinner, barry, ned.deily, r.david.murray, maxking, rad164, xtreak
2019-06-18 08:31:25vstinnersetmessageid: <>
2019-06-18 08:31:25vstinnerlinkissue33529 messages
2019-06-18 08:31:25vstinnercreate