Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 614f17211c5fc0e5b828be1d3320661d1038fe8f^! / . / Lib / email / headerregistry.py
commit614f17211c5fc0e5b828be1d3320661d1038fe8f[log] [tgz]
authorAshwin Ramaswami <aramaswamis@gmail.com>Sun Mar 29 20:38:41 2020 -0400
committerGitHub <noreply@github.com>Sun Mar 29 20:38:41 2020 -0400
treeceb4506a92bc77dab1954a7caed397587d6b2c14
parent0003c2dc1d4cf5b122e73e83177fd274fa9a9913 [diff] [blame]
bpo-39073: validate Address parts to disallow CRLF (#19007)

 Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. 
diff --git a/Lib/email/headerregistry.py b/Lib/email/headerregistry.py
index cc1d191..5d84fc0 100644
--- a/Lib/email/headerregistry.py
+++ b/Lib/email/headerregistry.py

@@ -31,6 +31,11 @@
         without any Content Transfer Encoding.
 
         """
+
+        inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
+        if '\r' in inputs or '\n' in inputs:
+            raise ValueError("invalid arguments; address parts cannot contain CR or LF")
+
         # This clause with its potential 'raise' may only happen when an
         # application program creates an Address object using an addr_spec
         # keyword.  The email library code itself must always supply username