Merged revisions 87873 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines
#5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header. Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks. (As far as we know this has never been exploited.)
Thanks to Jakub Wilk for reporting this vulnerability.
........
diff --git a/Misc/NEWS b/Misc/NEWS
index d15a849..7af0b2c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -31,6 +31,13 @@
Library
-------
+- Issue #5871: email.header.Header.encode now raises an error if any
+ continuation line in the formatted value has no leading white space
+ and looks like a header. Since Generator uses Header to format all
+ headers, this check is made for all headers in any serialized message
+ at serialization time. This provides protection against header
+ injection attacks.
+
- Issue #7858: Raise an error properly when os.utime() fails under Windows
on an existing file.