summaryrefslogtreecommitdiffstats
path: root/Lib/smtplib.py
diff options
context:
space:
mode:
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>2021-08-29 14:43:39 (GMT)
committerGitHub <noreply@github.com>2021-08-29 14:43:39 (GMT)
commit9e6c317ab133cd8fa48d5ecd8568314ef2e98634 (patch)
tree8ecc3827e057528d4eecc8c3f0133e7056b202d7 /Lib/smtplib.py
parent270678564c16452614a8acd93763bdf64fb4d286 (diff)
downloadcpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.zip
cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.gz
cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.bz2
bpo-43124: Fix smtplib multiple CRLF injection (GH-25987)
Co-authored-by: Ɓukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019) Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
Diffstat (limited to 'Lib/smtplib.py')
-rwxr-xr-xLib/smtplib.py11
1 files changed, 8 insertions, 3 deletions
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
index 7e984e8..324a1c1 100755
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -367,10 +367,15 @@ class SMTP:
def putcmd(self, cmd, args=""):
"""Send a command to the server."""
if args == "":
- str = '%s%s' % (cmd, CRLF)
+ s = cmd
else:
- str = '%s %s%s' % (cmd, args, CRLF)
- self.send(str)
+ s = f'{cmd} {args}'
+ if '\r' in s or '\n' in s:
+ s = s.replace('\n', '\\n').replace('\r', '\\r')
+ raise ValueError(
+ f'command and arguments contain prohibited newline characters: {s}'
+ )
+ self.send(f'{s}{CRLF}')
def getreply(self):
"""Get a reply from the server.