bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019) Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>

commit: 9e6c317ab133cd8fa48d5ecd8568314ef2e98634 [log] [tgz]
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Sun Aug 29 07:43:39 2021 -0700
committer: GitHub <noreply@github.com> Sun Aug 29 07:43:39 2021 -0700
tree: 8ecc3827e057528d4eecc8c3f0133e7056b202d7
parent: 270678564c16452614a8acd93763bdf64fb4d286 [diff] [blame]
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
index 7e984e8..324a1c1 100755
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py

@@ -367,10 +367,15 @@ def send(self, s):
     def putcmd(self, cmd, args=""):
         """Send a command to the server."""
         if args == "":
-            str = '%s%s' % (cmd, CRLF)
+            s = cmd
         else:
-            str = '%s %s%s' % (cmd, args, CRLF)
-        self.send(str)
+            s = f'{cmd} {args}'
+        if '\r' in s or '\n' in s:
+            s = s.replace('\n', '\\n').replace('\r', '\\r')
+            raise ValueError(
+                f'command and arguments contain prohibited newline characters: {s}'
+            )
+        self.send(f'{s}{CRLF}')
 
     def getreply(self):
         """Get a reply from the server.
commit	9e6c317ab133cd8fa48d5ecd8568314ef2e98634	[log] [tgz]
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	Sun Aug 29 07:43:39 2021 -0700
committer	GitHub <noreply@github.com>	Sun Aug 29 07:43:39 2021 -0700
tree	8ecc3827e057528d4eecc8c3f0133e7056b202d7
parent	270678564c16452614a8acd93763bdf64fb4d286 [diff] [blame]