]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 82494aa)
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
authorAbhilash Raj <maxking@users.noreply.github.com>
Wed, 17 Jul 2019 16:44:27 +0000 (09:44 -0700)
committerBarry Warsaw <barry@python.org>
Wed, 17 Jul 2019 16:44:27 +0000 (09:44 -0700)
* bpo-37461: Fix infinite loop in parsing of specially crafted email headers.

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.

Lib/email/_header_value_parser.py patch | blob | history
Lib/test/test_email/test__header_value_parser.py patch | blob | history
Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst [new file with mode: 0644] patch | blob

diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
index 37dc76470160520d4fb6536e15b2d1cc72b7a345..66b042ee0ef03cc17f664797919f5c706f55373a 100644 (file)
--- a/Lib/email/_header_value_parser.py
+++ b/Lib/email/_header_value_parser.py
@@ -2496,6 +2496,9 @@ def get_parameter(value):
         while value:
             if value[0] in WSP:
                 token, value = get_fws(value)
+            elif value[0] == '"':
+                token = ValueTerminal('"', 'DQUOTE')
+                value = value[1:]
             else:
                 token, value = get_qcontent(value)
             v.append(token)
diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
index c4e1a9f99495a4911736fe92482ff11ea596cd51..a83915d6d059cf05fdddcbea68cd9f6973d64e7b 100644 (file)
--- a/Lib/test/test_email/test__header_value_parser.py
+++ b/Lib/test/test_email/test__header_value_parser.py
@@ -2710,6 +2710,13 @@ class Test_parse_mime_parameters(TestParserMixin, TestEmailBase):
             # Defects are apparent missing *0*, and two 'out of sequence'.
             [errors.InvalidHeaderDefect]*3),
 
+        # bpo-37461: Check that we don't go into an infinite loop.
+        'extra_dquote': (
+            'r*="\'a\'\\"',
+            ' r="\\""',
+            'r*=\'a\'"',
+            [('r', '"')],
+            [errors.InvalidHeaderDefect]*2),
     }
 
 @parameterize
diff --git a/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst b/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
new file mode 100644 (file)
index 0000000..4bfd350
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst
@@ -0,0 +1,2 @@
+Fix an inifite loop when parsing specially crafted email headers. Patch by
+Abhilash Raj.
Unnamed repository; edit this file 'description' to name the repository.