#5871: protect against header injection attacks. This makes Header.encode throw a HeaderParseError if it winds up formatting a header such that a continuation line has no leading whitespace and looks like a header. Since Header accepts values containing newlines and preserves them (and this is by design), without this fix any program that took user input (say, a subject in a web form) and passed it to the email package as a header was vulnerable to header injection attacks. (As far as we know this has never been exploited.) Thanks to Jakub Wilk for reporting this vulnerability.

commit: 5b2d9ddf69cecfb9ad4e687fab3f34ecc5a9ea4f [log] [tgz]
author: R. David Murray <rdmurray@bitdance.com> Sun Jan 09 02:35:24 2011 +0000
committer: R. David Murray <rdmurray@bitdance.com> Sun Jan 09 02:35:24 2011 +0000
tree: bb55bbeaa187a5bea36c3f5a7e3a1bd41d2157a1
parent: e3ee66f141706d1220129dcc53b990e66507f5f2 [diff] [blame]
diff --git a/Misc/NEWS b/Misc/NEWS
index c1d4260..2f8b6db 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -40,6 +40,13 @@
 Library
 -------
 
+- Issue #5871: email.header.Header.encode now raises an error if any
+  continuation line in the formatted value has no leading white space
+  and looks like a header.  Since Generator uses Header to format all
+  headers, this check is made for all headers in any serialized message
+  at serialization time.  This provides protection against header
+  injection attacks.
+
 - Issue #10859: Make ``contextlib.GeneratorContextManager`` officially
   private by renaming it to ``_GeneratorContextManager``.
commit	5b2d9ddf69cecfb9ad4e687fab3f34ecc5a9ea4f	[log] [tgz]
author	R. David Murray <rdmurray@bitdance.com>	Sun Jan 09 02:35:24 2011 +0000
committer	R. David Murray <rdmurray@bitdance.com>	Sun Jan 09 02:35:24 2011 +0000
tree	bb55bbeaa187a5bea36c3f5a7e3a1bd41d2157a1
parent	e3ee66f141706d1220129dcc53b990e66507f5f2 [diff] [blame]