Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / d97f5ce3774c9b70a64febb713586501455964b7^! / . / Lib / email
commitd97f5ce3774c9b70a64febb713586501455964b7[log] [tgz]
authorR. David Murray <rdmurray@bitdance.com>Sun Jan 09 03:02:04 2011 +0000
committerR. David Murray <rdmurray@bitdance.com>Sun Jan 09 03:02:04 2011 +0000
tree905d7d5248ae2d3b0b7c54e5dd5bccfb6609e942
parentc4c52dd23d4d365952fb7f653f72f38154e4d331 [diff]
Merged revisions 87873 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines

  #5871: protect against header injection attacks.

  This makes Header.encode throw a HeaderParseError if it winds up
  formatting a header such that a continuation line has no leading
  whitespace and looks like a header.  Since Header accepts values
  containing newlines and preserves them (and this is by design), without
  this fix any program that took user input (say, a subject in a web form)
  and passed it to the email package as a header was vulnerable to header
  injection attacks.  (As far as we know this has never been exploited.)

  Thanks to Jakub Wilk for reporting this vulnerability.
........

diff --git a/Lib/email/header.py b/Lib/email/header.py
index 9e91dc2..702adf1 100644
--- a/Lib/email/header.py
+++ b/Lib/email/header.py

@@ -47,6 +47,10 @@
 # For use with .match()
 fcre = re.compile(r'[\041-\176]+:$')
 
+# Find a header embeded in a putative header value.  Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+
 
 
 # Helpers
@@ -403,7 +407,11 @@
             newchunks += self._split(s, charset, targetlen, splitchars)
             lastchunk, lastcharset = newchunks[-1]
             lastlen = lastcharset.encoded_header_len(lastchunk)
-        return self._encode_chunks(newchunks, maxlinelen)
+        value = self._encode_chunks(newchunks, maxlinelen)
+        if _embeded_header.search(value):
+            raise HeaderParseError("header value appears to contain "
+                "an embedded header: {!r}".format(value))
+        return value
 
 
 

diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
index 4aac500..5c9a725 100644
--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py

@@ -553,6 +553,17 @@
         msg.set_charset(u'us-ascii')
         self.assertEqual('us-ascii', msg.get_content_charset())
 
+    # Issue 5871: reject an attempt to embed a header inside a header value
+    # (header injection attack).
+    def test_embeded_header_via_Header_rejected(self):
+        msg = Message()
+        msg['Dummy'] = Header('dummy\nX-Injected-Header: test')
+        self.assertRaises(Errors.HeaderParseError, msg.as_string)
+
+    def test_embeded_header_via_string_rejected(self):
+        msg = Message()
+        msg['Dummy'] = 'dummy\nX-Injected-Header: test'
+        self.assertRaises(Errors.HeaderParseError, msg.as_string)
 
 
 # Test the email.Encoders module