]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1fc43a3)
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Wed, 17 Jul 2019 17:13:54 +0000 (10:13 -0700)
committerGitHub <noreply@github.com>
Wed, 17 Jul 2019 17:13:54 +0000 (10:13 -0700)
* bpo-37461: Fix infinite loop in parsing of specially crafted email headers.

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)

Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
Lib/email/_header_value_parser.py patch | blob | history
Lib/test/test_email/test__header_value_parser.py patch | blob | history
Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst [new file with mode: 0644] patch | blob

diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
index 64753218a3697d407ec129cdad9d0a01e939e7d1..2fc8abcbc5ad58d31013b1c5b8ff305d82a0d860 100644 (file)
--- a/Lib/email/_header_value_parser.py
+++ b/Lib/email/_header_value_parser.py
@@ -2475,6 +2475,9 @@ def get_parameter(value):
         while value:
             if value[0] in WSP:
                 token, value = get_fws(value)
+            elif value[0] == '"':
+                token = ValueTerminal('"', 'DQUOTE')
+                value = value[1:]
             else:
                 token, value = get_qcontent(value)
             v.append(token)
diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
index 14d1ff36f4a17cae7d9995eacddb981582150fc6..629174999961c8283289c69d012bb7de64d7d467 100644 (file)
--- a/Lib/test/test_email/test__header_value_parser.py
+++ b/Lib/test/test_email/test__header_value_parser.py
@@ -2690,6 +2690,13 @@ class Test_parse_mime_parameters(TestParserMixin, TestEmailBase):
             # Defects are apparent missing *0*, and two 'out of sequence'.
             [errors.InvalidHeaderDefect]*3),
 
+        # bpo-37461: Check that we don't go into an infinite loop.
+        'extra_dquote': (
+            'r*="\'a\'\\"',
+            ' r="\\""',
+            'r*=\'a\'"',
+            [('r', '"')],
+            [errors.InvalidHeaderDefect]*2),
     }
 
 @parameterize
diff --git a/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst b/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
new file mode 100644 (file)
index 0000000..4bfd350
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
@@ -0,0 +1,2 @@
+Fix an inifite loop when parsing specially crafted email headers. Patch by
+Abhilash Raj.
Unnamed repository; edit this file 'description' to name the repository.