[issue5871] email.header.Header too lax with embeded newlines
Barry A. Warsaw
report at bugs.python.org
Mon Jan 10 22:01:35 CET 2011
Barry A. Warsaw <barry at python.org> added the comment:
I'm inclined not to support backporting to Python 2.6. It seems like a fairly rare and narrow hole for security problem, because it would require a program to add the bogus header explicitly, as opposed to getting it after parsing some data. To me, that smacks of SQL-injection or XSS type bug, where it's really the application that's the problem.
Or in other words, assuming you don't have a program that is deliberately adding such headers (and then it should be considered a feature, i.e. they know what they're doing), then you'd have to trick a header-adding program to add some unvalidated text.
I dunno, it doesn't seem like a serious enough threat to backport.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5871>
_______________________________________
More information about the Python-bugs-list
mailing list