[Python-checkins] [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (#15446)

larryhastings webhook-mailer at python.org
Sat Sep 7 03:08:56 EDT 2019 

https://github.com/python/cpython/commit/c28e4a5160d3283b12514c7c28ed6e0a2a52271a
commit: c28e4a5160d3283b12514c7c28ed6e0a2a52271a
branch: 3.5
author: Abhilash Raj <maxking at users.noreply.github.com>
committer: larryhastings <larry at hastings.org>
date: 2019-09-07T08:08:53+01:00
summary:

[3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (#15446)

* [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)

Co-authored-by: Abhilash Raj <maxking at users.noreply.github.com>
Co-Authored-By: Ashwin Ramaswami <aramaswamis at gmail.com>

files:
A Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
M Lib/email/_header_value_parser.py
M Lib/test/test_email/test__header_value_parser.py

diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
index facc208fde12..5c4eb75f4981 100644
--- a/Lib/email/_header_value_parser.py
+++ b/Lib/email/_header_value_parser.py
@@ -2771,6 +2771,9 @@ def get_parameter(value):
         while value:
             if value[0] in WSP:
                 token, value = get_fws(value)
+            elif value[0] == '"':
+                token = ValueTerminal('"', 'DQUOTE')
+                value = value[1:]
             else:
                 token, value = get_qcontent(value)
             v.append(token)
diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
index 8ae617a6bd58..0cc5898b6275 100644
--- a/Lib/test/test_email/test__header_value_parser.py
+++ b/Lib/test/test_email/test__header_value_parser.py
@@ -2573,6 +2573,13 @@ def mime_parameters_as_value(self,
             # Defects are apparent missing *0*, and two 'out of sequence'.
             [errors.InvalidHeaderDefect]*3),
 
+        # bpo-37461: Check that we don't go into an infinite loop.
+        'extra_dquote': (
+            'r*="\'a\'\\"',
+            ' r="\\""',
+            'r*=\'a\'"',
+            [('r', '"')],
+            [errors.InvalidHeaderDefect]*2),
     }
 
 @parameterize
diff --git a/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst b/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
new file mode 100644
index 000000000000..9d47578c6277
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
@@ -0,0 +1,2 @@
+Fix an infinite loop when parsing specially crafted email headers. Patch by
+Abhilash Raj.

More information about the Python-checkins mailing list