Merged revisions 87873 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines

  #5871: protect against header injection attacks.

  This makes Header.encode throw a HeaderParseError if it winds up
  formatting a header such that a continuation line has no leading
  whitespace and looks like a header.  Since Header accepts values
  containing newlines and preserves them (and this is by design), without
  this fix any program that took user input (say, a subject in a web form)
  and passed it to the email package as a header was vulnerable to header
  injection attacks.  (As far as we know this has never been exploited.)

  Thanks to Jakub Wilk for reporting this vulnerability.
........

diff --git a/Lib/email/header.py b/Lib/email/header.py
index aaca18aff47d751733581c89081c4b1bc937ea77..ce55d61e30586ed45be7305b9f71f966fac964bb 100644 (file)
--- a/Lib/email/header.py
+++ b/Lib/email/header.py
@@ -46,6 +46,10 @@ ecre = re.compile(r'''
 # For use with .match()
 fcre = re.compile(r'[\041-\176]+:$')
 
+# Find a header embeded in a putative header value.  Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+
 
 \f
 # Helpers
@@ -305,7 +309,11 @@ class Header:
                 if len(lines) > 1:
                     formatter.newline()
             formatter.add_transition()
-        return str(formatter)
+        value = str(formatter)
+        if _embeded_header.search(value):
+            raise HeaderParseError("header value appears to contain "
+                "an embedded header: {!r}".format(value))
+        return value
 
     def _normalize(self):
         # Step 1: Normalize the chunks so that all runs of identical charsets

diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
index 05eb6a7bee147938c9e4f6b3d153a0a7271214fe..5222baba419b9254d76c5e773e43436c2d60bedb 100644 (file)
--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
@@ -540,6 +540,19 @@ class TestMessageAPI(TestEmailBase):
             msg['Content-Disposition'])
 
 
+    # Issue 5871: reject an attempt to embed a header inside a header value
+    # (header injection attack).
+    def test_embeded_header_via_Header_rejected(self):
+        msg = Message()
+        msg['Dummy'] = Header('dummy\nX-Injected-Header: test')
+        self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+    def test_embeded_header_via_string_rejected(self):
+        msg = Message()
+        msg['Dummy'] = 'dummy\nX-Injected-Header: test'
+        self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+
 # Test the email.encoders module
 class TestEncoders(unittest.TestCase):
     def test_encode_empty_payload(self):

diff --git a/Misc/NEWS b/Misc/NEWS
index d15a8498f5c82d1be3e98f2bda933783fd47a5c0..7af0b2c7695a259636c4739197e991a92561e390 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -31,6 +31,13 @@ Core and Builtins
 Library
 -------
 
+- Issue #5871: email.header.Header.encode now raises an error if any
+  continuation line in the formatted value has no leading white space
+  and looks like a header.  Since Generator uses Header to format all
+  headers, this check is made for all headers in any serialized message
+  at serialization time.  This provides protection against header
+  injection attacks.
+
 - Issue #7858: Raise an error properly when os.utime() fails under Windows
   on an existing file.