diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2020-05-27 13:37:40 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-27 13:37:40 (GMT) |
| commit | 75635c6095bcfbb9fccc239115d3d03ae20a307f (patch) | |
| tree | 002635c5771d551f74dd65711a014661c4d99dbe /Lib/email | |
| parent | 5594c07d97cc56ec7fabc66c6a5c644d3b809612 (diff) | |
| download | cpython-75635c6095bcfbb9fccc239115d3d03ae20a307f.zip cpython-75635c6095bcfbb9fccc239115d3d03ae20a307f.tar.gz cpython-75635c6095bcfbb9fccc239115d3d03ae20a307f.tar.bz2 | |
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Diffstat (limited to 'Lib/email')
| -rw-r--r-- | Lib/email/headerregistry.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Lib/email/headerregistry.py b/Lib/email/headerregistry.py index 8d1a202..d0914fd 100644 --- a/Lib/email/headerregistry.py +++ b/Lib/email/headerregistry.py @@ -31,6 +31,11 @@ class Address: without any Content Transfer Encoding. """ + + inputs = ''.join(filter(None, (display_name, username, domain, addr_spec))) + if '\r' in inputs or '\n' in inputs: + raise ValueError("invalid arguments; address parts cannot contain CR or LF") + # This clause with its potential 'raise' may only happen when an # application program creates an Address object using an addr_spec # keyword. The email library code itself must always supply username |