diff options
| author |   Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2020-05-27 16:17:52 -0700 |
|---|---|---|
| committer |   GitHub <noreply@github.com> | 2020-05-27 19:17:52 -0400 |
| commit | 7df32f844efed33ca781a016017eab7050263b90 (patch) | |
| tree | a86501bf0425c2017f7568e073ecf3f9f008daab | |
| parent | Add pt-br switcher to the Documentation website (GH-20301) (diff) | |
| download | cpython-7df32f844efed33ca781a016017eab7050263b90.tar.gz cpython-7df32f844efed33ca781a016017eab7050263b90.tar.bz2 cpython-7df32f844efed33ca781a016017eab7050263b90.zip | |
bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
| -rw-r--r-- | Lib/email/headerregistry.py | 5 | ||||
| -rw-r--r-- | Lib/test/test_email/test_headerregistry.py | 19 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst | 1 |
3 files changed, 25 insertions, 0 deletions
diff --git a/Lib/email/headerregistry.py b/Lib/email/headerregistry.py index f5be87f4d24..6e86b3b26c9 100644 --- a/Lib/email/headerregistry.py +++ b/Lib/email/headerregistry.py @@ -31,6 +31,11 @@ class Address: without any Content Transfer Encoding. """ + + inputs = ''.join(filter(None, (display_name, username, domain, addr_spec))) + if '\r' in inputs or '\n' in inputs: + raise ValueError("invalid arguments; address parts cannot contain CR or LF") + # This clause with its potential 'raise' may only happen when an # application program creates an Address object using an addr_spec # keyword. The email library code itself must always supply username diff --git a/Lib/test/test_email/test_headerregistry.py b/Lib/test/test_email/test_headerregistry.py index d1007099f66..08634daa7f6 100644 --- a/Lib/test/test_email/test_headerregistry.py +++ b/Lib/test/test_email/test_headerregistry.py @@ -1435,6 +1435,25 @@ class TestAddressAndGroup(TestEmailBase): # with self.assertRaises(ValueError): # Address('foo', 'wők', 'example.com') + def test_crlf_in_constructor_args_raises(self): + cases = ( + dict(display_name='foo\r'), + dict(display_name='foo\n'), + dict(display_name='foo\r\n'), + dict(domain='example.com\r'), + dict(domain='example.com\n'), + dict(domain='example.com\r\n'), + dict(username='wok\r'), + dict(username='wok\n'), + dict(username='wok\r\n'), + dict(addr_spec='wok@example.com\r'), + dict(addr_spec='wok@example.com\n'), + dict(addr_spec='wok@example.com\r\n') + ) + for kwargs in cases: + with self.subTest(kwargs=kwargs), self.assertRaisesRegex(ValueError, "invalid arguments"): + Address(**kwargs) + def test_non_ascii_username_in_addr_spec_raises(self): with self.assertRaises(ValueError): Address('foo', addr_spec='wők@example.com') diff --git a/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst b/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst new file mode 100644 index 00000000000..6c9447b897b --- /dev/null +++ b/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst @@ -0,0 +1 @@ +Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. |