[Python-checkins] r87873 - in python/branches/py3k: Lib/email/header.py Lib/email/test/test_email.py Misc/NEWS

Sun Jan 9 03:35:24 CET 2011

Author: r.david.murray
Date: Sun Jan 9 03:35:24 2011
New Revision: 87873
Log:
#5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header. Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks. (As far as we know this has never been exploited.)
Thanks to Jakub Wilk for reporting this vulnerability.
Modified:
 python/branches/py3k/Lib/email/header.py
 python/branches/py3k/Lib/email/test/test_email.py
 python/branches/py3k/Misc/NEWS
Modified: python/branches/py3k/Lib/email/header.py
==============================================================================

--- python/branches/py3k/Lib/email/header.py	(original)
+++ python/branches/py3k/Lib/email/header.py	Sun Jan 9 03:35:24 2011
@@ -47,6 +47,10 @@
 # For use with .match()
 fcre = re.compile(r'[041円-176円]+:$')
 
+# Find a header embeded in a putative header value. Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+
 
 
 # Helpers
@@ -320,7 +324,11 @@
 if len(lines) > 1:
 formatter.newline()
 formatter.add_transition()
- return formatter._str(linesep)
+ value = formatter._str(linesep)
+ if _embeded_header.search(value):
+ raise HeaderParseError("header value appears to contain "
+ "an embedded header: {!r}".format(value))
+ return value
 
 def _normalize(self):
 # Step 1: Normalize the chunks so that all runs of identical charsets
Modified: python/branches/py3k/Lib/email/test/test_email.py
==============================================================================
--- python/branches/py3k/Lib/email/test/test_email.py	(original)
+++ python/branches/py3k/Lib/email/test/test_email.py	Sun Jan 9 03:35:24 2011
@@ -561,6 +561,18 @@
 "attachment; filename*=utf-8''Fu%C3%9Fballer%20%5Bfilename%5D.ppt",
 msg['Content-Disposition'])
 
+ # Issue 5871: reject an attempt to embed a header inside a header value
+ # (header injection attack).
+ def test_embeded_header_via_Header_rejected(self):
+ msg = Message()
+ msg['Dummy'] = Header('dummy\nX-Injected-Header: test')
+ self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+ def test_embeded_header_via_string_rejected(self):
+ msg = Message()
+ msg['Dummy'] = 'dummy\nX-Injected-Header: test'
+ self.assertRaises(errors.HeaderParseError, msg.as_string)
+
 
 # Test the email.encoders module
 class TestEncoders(unittest.TestCase):
Modified: python/branches/py3k/Misc/NEWS
==============================================================================
--- python/branches/py3k/Misc/NEWS	(original)
+++ python/branches/py3k/Misc/NEWS	Sun Jan 9 03:35:24 2011
@@ -40,6 +40,13 @@
 Library
 -------
 
+- Issue #5871: email.header.Header.encode now raises an error if any
+ continuation line in the formatted value has no leading white space
+ and looks like a header. Since Generator uses Header to format all
+ headers, this check is made for all headers in any serialized message
+ at serialization time. This provides protection against header
+ injection attacks.
+
 - Issue #10859: Make ``contextlib.GeneratorContextManager`` officially
 private by renaming it to ``_GeneratorContextManager``.
 
