bpo-43124: Fix smtplib multiple CRLF injection (GH-25987)

Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019) Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2021-08-29 14:43:39 (GMT)
committer: GitHub <noreply@github.com> 2021-08-29 14:43:39 (GMT)
commit: 9e6c317ab133cd8fa48d5ecd8568314ef2e98634 (patch)
tree: 8ecc3827e057528d4eecc8c3f0133e7056b202d7 /Misc
parent: 270678564c16452614a8acd93763bdf64fb4d286 (diff)
download: cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.zip
cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.gz
cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst b/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst
new file mode 100644
index 0000000..e897d6c
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst
@@ -0,0 +1,2 @@
+Made the internal ``putcmd`` function in :mod:`smtplib` sanitize input for
+presence of ``\r`` and ``\n`` characters to avoid (unlikely) command injection.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2021-08-29 14:43:39 (GMT)
committer	GitHub <noreply@github.com>	2021-08-29 14:43:39 (GMT)
commit	9e6c317ab133cd8fa48d5ecd8568314ef2e98634 (patch)
tree	8ecc3827e057528d4eecc8c3f0133e7056b202d7 /Misc
parent	270678564c16452614a8acd93763bdf64fb4d286 (diff)
download	cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.zip cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.gz cpython-9e6c317ab133cd8fa48d5ecd8568314ef2e98634.tar.bz2