➜ 
This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-12-17 12:46 by jap, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 19007 | merged | epicfaace, 2020-03-15 01:28 | |
| PR 19222 | merged | miss-islington, 2020-03-30 00:39 | |
| PR 19223 | merged | miss-islington, 2020-03-30 00:39 | |
| PR 19224 | merged | miss-islington, 2020-03-30 00:39 | |
| PR 20450 | merged | vstinner, 2020-05-27 13:47 | |
| Messages (14) | |||
|---|---|---|---|
| msg358544 - (view) | Author: Jasper Spaans (jap) * | Date: 2019-12-17 12:46 | |
big-bob:t spaans$ cat fak.py import sys from email.message import EmailMessage from email.policy import SMTP from email.headerregistry import Address msg = EmailMessage(policy=SMTP) a = Address(display_name='Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>\r\nX:', addr_spec='evil@local') msg['To'] = a print(sys.version) print(msg.as_string()) big-bob:t spaans$ python3.5 fak.py 3.5.2 (default, Jul 16 2019, 13:40:43) [GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)] To: "Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local> X:" <evil@local> big-bob:t spaans$ python3.8 fak.py 3.8.0 (default, Dec 17 2019, 13:32:18) [Clang 11.0.0 (clang-1100.0.33.16)] To: Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local> X: <evil@local> | |||
| msg358545 - (view) | Author: Jasper Spaans (jap) * | Date: 2019-12-17 12:50 | |
As can be seen above, 3.5 wraps the realname in a double quote, but 3.8 fails to do so. Note that 3.5 also does not add a whitespace in front of the line starting with "X:", so it is also not merged with the previous line when parsing. I guess we'll have to disallow \r and \n in displaynames for now. | |||
| msg358572 - (view) | Author: R. David Murray (r.david.murray) *  | Date: 2019-12-17 20:24 | |
Hmm. Yes, \r\n should be disallowed in the arguments to Address. I thought it already was, so that's a bug. That bug produces the other apparent bug as well: because the X: was treated as a separate line, the previous header did not need double quotes so they are no longer added. So there's no 3.8 specific bug here, but there is a bug. | |||
| msg364273 - (view) | Author: R. David Murray (r.david.murray) * | Date: 2020-03-16 01:00 | |
Thanks for the PR. I've made some review comments. | |||
| msg365287 - (view) | Author: R. David Murray (r.david.murray) * | Date: 2020-03-30 00:38 | |
New changeset 614f17211c5fc0e5b828be1d3320661d1038fe8f by Ashwin Ramaswami in branch 'master': bpo-39073: validate Address parts to disallow CRLF (#19007) https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f | |||
| msg365288 - (view) | Author: R. David Murray (r.david.murray) * | Date: 2020-03-30 00:40 | |
Thanks! | |||
| msg369659 - (view) | Author: Cheryl Sabella (cheryl.sabella) * | Date: 2020-05-22 22:20 | |
There are 3 open PRs for the backport of this to 3.6, 3.7, and 3.8. It looks like they just need to be approved and miss-islington will take care of the rest. | |||
| msg370076 - (view) | Author: miss-islington (miss-islington) | Date: 2020-05-27 13:37 | |
New changeset 75635c6095bcfbb9fccc239115d3d03ae20a307f by Miss Islington (bot) in branch '3.8': bpo-39073: validate Address parts to disallow CRLF (GH-19007) https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f | |||
| msg370077 - (view) | Author: miss-islington (miss-islington) | Date: 2020-05-27 13:38 | |
New changeset a93bf82980d7c02217a088bafa193f32a4d13abb by Miss Islington (bot) in branch '3.7': bpo-39073: validate Address parts to disallow CRLF (GH-19007) https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb | |||
| msg370080 - (view) | Author: STINNER Victor (vstinner) * | Date: 2020-05-27 13:48 | |
I created PR 20450: backport to 3.5, since it's a security fix. | |||
| msg370081 - (view) | Author: STINNER Victor (vstinner) * | Date: 2020-05-27 13:49 | |
FYI I created https://python-security.readthedocs.io/vuln/email-address-header-injection.html to track fixes of this vulnerability. | |||
| msg370151 - (view) | Author: Ned Deily (ned.deily) * | Date: 2020-05-27 23:17 | |
New changeset 7df32f844efed33ca781a016017eab7050263b90 by Miss Islington (bot) in branch '3.6': bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224) https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90 | |||
| msg371386 - (view) | Author: Larry Hastings (larry) * | Date: 2020-06-12 15:33 | |
New changeset f91a0b6df14d6c5133fe3d5889fad7d84fc0c046 by Victor Stinner in branch '3.5': bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450) https://github.com/python/cpython/commit/f91a0b6df14d6c5133fe3d5889fad7d84fc0c046 | |||
| msg373948 - (view) | Author: Ned Deily (ned.deily) * | Date: 2020-07-19 09:42 | |
Merged for release in 3.9.0a6, 3.8.4, 3.7.8, 3.6.11, and 3.5.10. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:24 | admin | set | github: 83254 |
| 2020-07-19 09:42:15 | ned.deily | set | status: open -> closed resolution: fixed messages: + msg373948 stage: patch review -> resolved |
| 2020-06-12 15:33:26 | larry | set | nosy: + larry messages: + msg371386 |
| 2020-05-27 23:17:58 | ned.deily | set | nosy: + ned.deily messages: + msg370151 |
| 2020-05-27 13:49:40 | vstinner | set | title: email incorrect handling of crlf in Address objects. -> [security] email module incorrect handling of CR and LF newline characters in Address objects. |
| 2020-05-27 13:49:21 | vstinner | set | messages: + msg370081 |
| 2020-05-27 13:48:27 | vstinner | set | messages: + msg370080 versions: + Python 3.5, Python 3.6, Python 3.7, Python 3.9, Python 3.10 |
| 2020-05-27 13:47:46 | vstinner | set | nosy: + vstinner pull_requests: + pull_request19704 stage: backport needed -> patch review |
| 2020-05-27 13:38:18 | miss-islington | set | messages: + msg370077 |
| 2020-05-27 13:37:47 | miss-islington | set | messages: + msg370076 |
| 2020-05-22 22:20:39 | cheryl.sabella | set | nosy: + cheryl.sabella messages: + msg369659 |
| 2020-03-30 00:40:26 | r.david.murray | set | stage: patch review -> backport needed |
| 2020-03-30 00:40:01 | r.david.murray | set | messages: + msg365288 |
| 2020-03-30 00:39:30 | miss-islington | set | pull_requests: + pull_request18586 |
| 2020-03-30 00:39:21 | miss-islington | set | pull_requests: + pull_request18585 |
| 2020-03-30 00:39:12 | miss-islington | set | nosy: + miss-islington pull_requests: + pull_request18584 |
| 2020-03-30 00:38:47 | r.david.murray | set | messages: + msg365287 |
| 2020-03-16 01:00:29 | r.david.murray | set | messages: + msg364273 |
| 2020-03-15 01:28:02 | epicfaace | set | keywords: + patch nosy: + epicfaace pull_requests: + pull_request18352 stage: patch review |
| 2019-12-17 20:24:21 | r.david.murray | set | messages: + msg358572 title: email regression in 3.8: folding -> email incorrect handling of crlf in Address objects. |
| 2019-12-17 12:50:18 | jap | set | messages: + msg358545 |
| 2019-12-17 12:46:43 | jap | create | |