summaryrefslogtreecommitdiffstats
path: root/Lib/email/header.py
diff options
context:
space:
mode:
Diffstat (limited to 'Lib/email/header.py')
-rw-r--r--Lib/email/header.py10
1 files changed, 9 insertions, 1 deletions
diff --git a/Lib/email/header.py b/Lib/email/header.py
index aaca18a..ce55d61 100644
--- a/Lib/email/header.py
+++ b/Lib/email/header.py
@@ -46,6 +46,10 @@ ecre = re.compile(r'''
# For use with .match()
fcre = re.compile(r'[\041-\176]+:$')
+# Find a header embeded in a putative header value. Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+
# Helpers
@@ -305,7 +309,11 @@ class Header:
if len(lines) > 1:
formatter.newline()
formatter.add_transition()
- return str(formatter)
+ value = str(formatter)
+ if _embeded_header.search(value):
+ raise HeaderParseError("header value appears to contain "
+ "an embedded header: {!r}".format(value))
+ return value
def _normalize(self):
# Step 1: Normalize the chunks so that all runs of identical charsets
generated by cgit v0.12 at 2024-12-03 15:08:46 (GMT)