8000 bpo-39073: validate Address parts to disallow CRLF (#19007) · python/cpython@614f172 · GitHub
[go: up one dir, main page]

Skip to content

Commit 614f172

Browse files
authored
bpo-39073: validate Address parts to disallow CRLF (#19007)
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
1 parent 0003c2d commit 614f172

File tree

3 files changed

+25
-0
lines changed

3 files changed

+25
-0
lines changed

Lib/email/headerregistry.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,11 @@ def __init__(self, display_name='', username='', domain='', addr_spec=None):
3131
without any Content Transfer Encoding.
3232
3333
"""
34+
35+
inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
36+
if '\r' in inputs or '\n' in inputs:
37+
raise ValueError("invalid arguments; address parts cannot contain CR or LF")
38+
3439
# This clause with its potential 'raise' may only happen when an
3540
# application program creates an Address object using an addr_spec
3641
# keyword. The email library code itself must always supply username

Lib/test/test_email/test_headerregistry.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1437,6 +1437,25 @@ def test_il8n(self):
14371437
# with self.assertRaises(ValueError):
14381438
# Address('foo', 'wők', 'example.com')
14391439

1440+
def test_crlf_in_constructor_args_raises(self):
1441+
cases = (
1442+
dict(display_name='foo\r'),
1443+
dict(display_name='foo\n'),
1444+
dict(display_name='foo\r\n'),
1445+
dict(domain='example.com\r'),
1446+
dict(domain='example.com\n'),
1447+
dict(domain='example.com\r\n'),
1448+
dict(username='wok\r'),
1449+
dict(username='wok\n'),
1450+
dict(username='wok\r\n'),
1451+
dict(addr_spec='wok@example.com\r'),
1452+
dict(addr_spec='wok@example.com\n'),
1453+
dict(addr_spec='wok@example.com\r\n')
1454+
)
1455+
for kwargs in cases:
1456+
with self.subTest(kwargs=kwargs), self.assertRaisesRegex(ValueError, "invalid arguments"):
1457+
Address(**kwargs)
1458+
14401459
def test_non_ascii_username_in_addr_spec_raises(self):
14411460
with self.assertRaises(ValueError):
14421461
Address('foo', addr_spec='wők@example.com')
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

0 commit comments

Comments
 (0)
0