bpo-39073: validate Address parts to disallow CRLF #19007
Conversation
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @bitdancer: please review the changes made to this pull request. |
Lib/email/headerregistry.py
Outdated
|
|
||
| inputs = ''.join(filter(None, (display_name, username, domain, addr_spec))) | ||
| if '\r' in inputs or '\n' in inputs: | ||
| raise ValueError("invalid inputs; address parts cannot contain CR / LF") |
There was a problem hiding this comment.
Hmm. Reading this I think I'd say "arguments" rather than inputs, that aligns better with our typical vocabulary. And how about "CR or LF"?
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @bitdancer: please review the changes made to this pull request. |
| @@ -0,0 +1 @@ | |||
| Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name). | |||
There was a problem hiding this comment.
I thought I'd already made this comment but I can't find it:
"DIsallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks."
|
@bitdancer: Please replace |
|
Thanks @epicfaace for the PR, and @bitdancer for merging it 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
GH-19222 is a backport of this pull request to the 3.8 branch. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
GH-19223 is a backport of this pull request to the 3.7 branch. |
|
GH-19224 is a backport of this pull request to the 3.6 branch. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name)
https://bugs.python.org/issue39073