diff options
| author | R. David Murray <rdmurray@bitdance.com> | 2011-01-09 02:35:24 (GMT) |
|---|---|---|
| committer | R. David Murray <rdmurray@bitdance.com> | 2011-01-09 02:35:24 (GMT) |
| commit | 5b2d9ddf69cecfb9ad4e687fab3f34ecc5a9ea4f (patch) | |
| tree | bb55bbeaa187a5bea36c3f5a7e3a1bd41d2157a1 /Lib | |
| parent | e3ee66f141706d1220129dcc53b990e66507f5f2 (diff) | |
| download | cpython-5b2d9ddf69cecfb9ad4e687fab3f34ecc5a9ea4f.zip cpython-5b2d9ddf69cecfb9ad4e687fab3f34ecc5a9ea4f.tar.gz cpython-5b2d9ddf69cecfb9ad4e687fab3f34ecc5a9ea4f.tar.bz2 | |
#5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header. Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks. (As far as we know this has never been exploited.)
Thanks to Jakub Wilk for reporting this vulnerability.
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/email/header.py | 10 | ||||
| -rw-r--r-- | Lib/email/test/test_email.py | 12 |
2 files changed, 21 insertions, 1 deletions
diff --git a/Lib/email/header.py b/Lib/email/header.py index f90883f..35cdb2b 100644 --- a/Lib/email/header.py +++ b/Lib/email/header.py @@ -47,6 +47,10 @@ ecre = re.compile(r''' # For use with .match() fcre = re.compile(r'[\041-\176]+:$') +# Find a header embeded in a putative header value. Used to check for +# header injection attack. +_embeded_header = re.compile(r'\n[^ \t]+:') + # Helpers @@ -320,7 +324,11 @@ class Header: if len(lines) > 1: formatter.newline() formatter.add_transition() - return formatter._str(linesep) + value = formatter._str(linesep) + if _embeded_header.search(value): + raise HeaderParseError("header value appears to contain " + "an embedded header: {!r}".format(value)) + return value def _normalize(self): # Step 1: Normalize the chunks so that all runs of identical charsets diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py index a1798ce..e4083ad 100644 --- a/Lib/email/test/test_email.py +++ b/Lib/email/test/test_email.py @@ -561,6 +561,18 @@ class TestMessageAPI(TestEmailBase): "attachment; filename*=utf-8''Fu%C3%9Fballer%20%5Bfilename%5D.ppt", msg['Content-Disposition']) + # Issue 5871: reject an attempt to embed a header inside a header value + # (header injection attack). + def test_embeded_header_via_Header_rejected(self): + msg = Message() + msg['Dummy'] = Header('dummy\nX-Injected-Header: test') + self.assertRaises(errors.HeaderParseError, msg.as_string) + + def test_embeded_header_via_string_rejected(self): + msg = Message() + msg['Dummy'] = 'dummy\nX-Injected-Header: test' + self.assertRaises(errors.HeaderParseError, msg.as_string) + # Test the email.encoders module class TestEncoders(unittest.TestCase): |