#5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header. Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks. (As far as we know this has never been exploited.)
Thanks to Jakub Wilk for reporting this vulnerability.
diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
index a1798ce..e4083ad 100644
--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
@@ -561,6 +561,18 @@
"attachment; filename*=utf-8''Fu%C3%9Fballer%20%5Bfilename%5D.ppt",
msg['Content-Disposition'])
+ # Issue 5871: reject an attempt to embed a header inside a header value
+ # (header injection attack).
+ def test_embeded_header_via_Header_rejected(self):
+ msg = Message()
+ msg['Dummy'] = Header('dummy\nX-Injected-Header: test')
+ self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+ def test_embeded_header_via_string_rejected(self):
+ msg = Message()
+ msg['Dummy'] = 'dummy\nX-Injected-Header: test'
+ self.assertRaises(errors.HeaderParseError, msg.as_string)
+
# Test the email.encoders module
class TestEncoders(unittest.TestCase):