diff options
author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2021-08-29 14:43:39 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-29 14:43:39 (GMT) |
commit | 9e6c317ab133cd8fa48d5ecd8568314ef2e98634 (patch) | |
tree | 8ecc3827e057528d4eecc8c3f0133e7056b202d7 /Lib/smtplib.py | |
parent | 270678564c16452614a8acd93763bdf64fb4d286 (diff) | |
download | cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.zip cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.gz cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.bz2 |
bpo-43124: Fix smtplib multiple CRLF injection (GH-25987)
Co-authored-by: Ćukasz Langa <lukasz@langa.pl>
(cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019)
Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
Diffstat (limited to 'Lib/smtplib.py')
-rwxr-xr-x | Lib/smtplib.py | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/Lib/smtplib.py b/Lib/smtplib.py index 7e984e8..324a1c1 100755 --- a/Lib/smtplib.py +++ b/Lib/smtplib.py @@ -367,10 +367,15 @@ class SMTP: def putcmd(self, cmd, args=""): """Send a command to the server.""" if args == "": - str = '%s%s' % (cmd, CRLF) + s = cmd else: - str = '%s %s%s' % (cmd, args, CRLF) - self.send(str) + s = f'{cmd} {args}' + if '\r' in s or '\n' in s: + s = s.replace('\n', '\\n').replace('\r', '\\r') + raise ValueError( + f'command and arguments contain prohibited newline characters: {s}' + ) + self.send(f'{s}{CRLF}') def getreply(self): """Get a reply from the server. |