Merged revisions 87873 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/branches/py3k ........ r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines #5871: protect against header injection attacks. This makes Header.encode throw a HeaderParseError if it winds up formatting a header such that a continuation line has no leading whitespace and looks like a header. Since Header accepts values containing newlines and preserves them (and this is by design), without this fix any program that took user input (say, a subject in a web form) and passed it to the email package as a header was vulnerable to header injection attacks. (As far as we know this has never been exploited.) Thanks to Jakub Wilk for reporting this vulnerability. ........
2025-08-04 08:59:19 +00:00 · 2011-01-09 02:48:04 +00:00 · 2011-01-09 02:48:04 +00:00 · 389af00371
commit 389af00371
parent 50778ab4c2
3 changed files with 29 additions and 1 deletions
--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
@ -540,6 +540,19 @@ class TestMessageAPI(TestEmailBase):
            msg['Content-Disposition'])


+    # Issue 5871: reject an attempt to embed a header inside a header value
+    # (header injection attack).
+    def test_embeded_header_via_Header_rejected(self):
+        msg = Message()
+        msg['Dummy'] = Header('dummy\nX-Injected-Header: test')
+        self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+    def test_embeded_header_via_string_rejected(self):
+        msg = Message()
+        msg['Dummy'] = 'dummy\nX-Injected-Header: test'
+        self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+
 # Test the email.encoders module
 class TestEncoders(unittest.TestCase):
    def test_encode_empty_payload(self):