#5871: protect against header injection attacks.

This makes Header.encode throw a HeaderParseError if it winds up formatting a header such that a continuation line has no leading whitespace and looks like a header. Since Header accepts values containing newlines and preserves them (and this is by design), without this fix any program that took user input (say, a subject in a web form) and passed it to the email package as a header was vulnerable to header injection attacks. (As far as we know this has never been exploited.) Thanks to Jakub Wilk for reporting this vulnerability.
2025-11-25 21:11:09 +00:00 · 2011-01-09 02:35:24 +00:00 · 2011-01-09 02:35:24 +00:00 · 5b2d9ddf69
commit 5b2d9ddf69
parent e3ee66f141
3 changed files with 28 additions and 1 deletions
--- a/Lib/email/header.py
+++ b/Lib/email/header.py
@ -47,6 +47,10 @@ ecre = re.compile(r'''
 # For use with .match()
 fcre = re.compile(r'[\041-\176]+:$')

+# Find a header embeded in a putative header value.  Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+


 # Helpers
@ -320,7 +324,11 @@ class Header:
            if len(lines) > 1:
                formatter.newline()
            formatter.add_transition()
-        return formatter._str(linesep)
+        value = formatter._str(linesep)
+        if _embeded_header.search(value):
+            raise HeaderParseError("header value appears to contain "
+                "an embedded header: {!r}".format(value))
+        return value

    def _normalize(self):
        # Step 1: Normalize the chunks so that all runs of identical charsets