From 389af0037175ec5327d401b3d4a3b13d509cc926 Mon Sep 17 00:00:00 2001 From: "R. David Murray" Date: Sun, 9 Jan 2011 02:48:04 +0000 Subject: Merged revisions 87873 via svnmerge from svn+ssh://pythondev@svn.python.org/python/branches/py3k ........ r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines #5871: protect against header injection attacks. This makes Header.encode throw a HeaderParseError if it winds up formatting a header such that a continuation line has no leading whitespace and looks like a header. Since Header accepts values containing newlines and preserves them (and this is by design), without this fix any program that took user input (say, a subject in a web form) and passed it to the email package as a header was vulnerable to header injection attacks. (As far as we know this has never been exploited.) Thanks to Jakub Wilk for reporting this vulnerability. ........ --- Lib/email/header.py | 10 +++++++++- Lib/email/test/test_email.py | 13 +++++++++++++ Misc/NEWS | 7 +++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/Lib/email/header.py b/Lib/email/header.py index aaca18a..ce55d61 100644 --- a/Lib/email/header.py +++ b/Lib/email/header.py @@ -46,6 +46,10 @@ ecre = re.compile(r''' # For use with .match() fcre = re.compile(r'[\041-\176]+:$') +# Find a header embeded in a putative header value. Used to check for +# header injection attack. +_embeded_header = re.compile(r'\n[^ \t]+:') + # Helpers @@ -305,7 +309,11 @@ class Header: if len(lines) > 1: formatter.newline() formatter.add_transition() - return str(formatter) + value = str(formatter) + if _embeded_header.search(value): + raise HeaderParseError("header value appears to contain " + "an embedded header: {!r}".format(value)) + return value def _normalize(self): # Step 1: Normalize the chunks so that all runs of identical charsets diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py index 05eb6a7..5222bab 100644 --- a/Lib/email/test/test_email.py +++ b/Lib/email/test/test_email.py @@ -540,6 +540,19 @@ class TestMessageAPI(TestEmailBase): msg['Content-Disposition']) + # Issue 5871: reject an attempt to embed a header inside a header value + # (header injection attack). + def test_embeded_header_via_Header_rejected(self): + msg = Message() + msg['Dummy'] = Header('dummy\nX-Injected-Header: test') + self.assertRaises(errors.HeaderParseError, msg.as_string) + + def test_embeded_header_via_string_rejected(self): + msg = Message() + msg['Dummy'] = 'dummy\nX-Injected-Header: test' + self.assertRaises(errors.HeaderParseError, msg.as_string) + + # Test the email.encoders module class TestEncoders(unittest.TestCase): def test_encode_empty_payload(self): diff --git a/Misc/NEWS b/Misc/NEWS index d15a849..7af0b2c 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -31,6 +31,13 @@ Core and Builtins Library ------- +- Issue #5871: email.header.Header.encode now raises an error if any + continuation line in the formatted value has no leading white space + and looks like a header. Since Generator uses Header to format all + headers, this check is made for all headers in any serialized message + at serialization time. This provides protection against header + injection attacks. + - Issue #7858: Raise an error properly when os.utime() fails under Windows on an existing file. -- cgit v0.12