Skip to content
Snippets Groups Projects
Unverified Commit 7df32f84 authored by Miss Islington (bot)'s avatar Miss Islington (bot) Committed by GitHub
Browse files

bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)


Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f1721)

Co-authored-by: default avatarAshwin Ramaswami <aramaswamis@gmail.com>

Co-authored-by: default avatarAshwin Ramaswami <aramaswamis@gmail.com>
parent 763b193c
No related branches found
No related tags found
No related merge requests found
...@@ -31,6 +31,11 @@ def __init__(self, display_name='', username='', domain='', addr_spec=None): ...@@ -31,6 +31,11 @@ def __init__(self, display_name='', username='', domain='', addr_spec=None):
without any Content Transfer Encoding. without any Content Transfer Encoding.
""" """
inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
if '\r' in inputs or '\n' in inputs:
raise ValueError("invalid arguments; address parts cannot contain CR or LF")
# This clause with its potential 'raise' may only happen when an # This clause with its potential 'raise' may only happen when an
# application program creates an Address object using an addr_spec # application program creates an Address object using an addr_spec
# keyword. The email library code itself must always supply username # keyword. The email library code itself must always supply username
......
...@@ -1435,6 +1435,25 @@ def test_il8n(self): ...@@ -1435,6 +1435,25 @@ def test_il8n(self):
# with self.assertRaises(ValueError): # with self.assertRaises(ValueError):
# Address('foo', 'wők', 'example.com') # Address('foo', 'wők', 'example.com')
def test_crlf_in_constructor_args_raises(self):
cases = (
dict(display_name='foo\r'),
dict(display_name='foo\n'),
dict(display_name='foo\r\n'),
dict(domain='example.com\r'),
dict(domain='example.com\n'),
dict(domain='example.com\r\n'),
dict(username='wok\r'),
dict(username='wok\n'),
dict(username='wok\r\n'),
dict(addr_spec='wok@example.com\r'),
dict(addr_spec='wok@example.com\n'),
dict(addr_spec='wok@example.com\r\n')
)
for kwargs in cases:
with self.subTest(kwargs=kwargs), self.assertRaisesRegex(ValueError, "invalid arguments"):
Address(**kwargs)
def test_non_ascii_username_in_addr_spec_raises(self): def test_non_ascii_username_in_addr_spec_raises(self):
with self.assertRaises(ValueError): with self.assertRaises(ValueError):
Address('foo', addr_spec='wők@example.com') Address('foo', addr_spec='wők@example.com')
......
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment