Merged revisions 87873 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines
#5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header. Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks. (As far as we know this has never been exploited.)
Thanks to Jakub Wilk for reporting this vulnerability.
........
diff --git a/Lib/email/header.py b/Lib/email/header.py
index aaca18a..ce55d61 100644
--- a/Lib/email/header.py
+++ b/Lib/email/header.py
@@ -46,6 +46,10 @@
# For use with .match()
fcre = re.compile(r'[\041-\176]+:$')
+# Find a header embeded in a putative header value. Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+
�
# Helpers
@@ -305,7 +309,11 @@
if len(lines) > 1:
formatter.newline()
formatter.add_transition()
- return str(formatter)
+ value = str(formatter)
+ if _embeded_header.search(value):
+ raise HeaderParseError("header value appears to contain "
+ "an embedded header: {!r}".format(value))
+ return value
def _normalize(self):
# Step 1: Normalize the chunks so that all runs of identical charsets