[Python-checkins] bpo-39073: validate Address parts to disallow CRLF (GH-19007)
Miss Islington (bot)
webhook-mailer at python.org
Wed May 27 09:38:19 EDT 2020
https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb
commit: a93bf82980d7c02217a088bafa193f32a4d13abb
branch: 3.7
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2020-05-27T06:38:14-07:00
summary:
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
Co-authored-by: Ashwin Ramaswami <aramaswamis at gmail.com>
files:
A Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst
M Lib/email/headerregistry.py
M Lib/test/test_email/test_headerregistry.py
diff --git a/Lib/email/headerregistry.py b/Lib/email/headerregistry.py
index 0218cbfbd098d..fe30fc2c7e713 100644
--- a/Lib/email/headerregistry.py
+++ b/Lib/email/headerregistry.py
@@ -31,6 +31,11 @@ def __init__(self, display_name='', username='', domain='', addr_spec=None):
without any Content Transfer Encoding.
"""
+
+ inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
+ if '\r' in inputs or '\n' in inputs:
+ raise ValueError("invalid arguments; address parts cannot contain CR or LF")
+
# This clause with its potential 'raise' may only happen when an
# application program creates an Address object using an addr_spec
# keyword. The email library code itself must always supply username
diff --git a/Lib/test/test_email/test_headerregistry.py b/Lib/test/test_email/test_headerregistry.py
index b54df3ebc61a1..e808e502b21e6 100644
--- a/Lib/test/test_email/test_headerregistry.py
+++ b/Lib/test/test_email/test_headerregistry.py
@@ -1436,6 +1436,25 @@ def test_il8n(self):
# with self.assertRaises(ValueError):
# Address('foo', 'wők', 'example.com')
+ def test_crlf_in_constructor_args_raises(self):
+ cases = (
+ dict(display_name='foo\r'),
+ dict(display_name='foo\n'),
+ dict(display_name='foo\r\n'),
+ dict(domain='example.com\r'),
+ dict(domain='example.com\n'),
+ dict(domain='example.com\r\n'),
+ dict(username='wok\r'),
+ dict(username='wok\n'),
+ dict(username='wok\r\n'),
+ dict(addr_spec='wok at example.com\r'),
+ dict(addr_spec='wok at example.com\n'),
+ dict(addr_spec='wok at example.com\r\n')
+ )
+ for kwargs in cases:
+ with self.subTest(kwargs=kwargs), self.assertRaisesRegex(ValueError, "invalid arguments"):
+ Address(**kwargs)
+
def test_non_ascii_username_in_addr_spec_raises(self):
with self.assertRaises(ValueError):
Address('foo', addr_spec='wők at example.com')
diff --git a/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst b/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst
new file mode 100644
index 0000000000000..6c9447b897bf6
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst
@@ -0,0 +1 @@
+Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
More information about the Python-checkins
mailing list