gh-127794: Validate email header names according to RFC 5322 (#127820)

`email.message.Message` objects now validate header names specified via `__setitem__` or `add_header` according to RFC 5322, §2.2 [1]. In particular, callers should expect a ValueError to be raised for invalid header names. [1]: https://datatracker.ietf.org/doc/html/rfc5322#section-2.2 --------- Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: R. David Murray <rdmurray@bitdance.com>
2025-08-30 21:48:47 +00:00 · 2025-03-30 17:59:29 +05:30 · 2025-03-30 17:59:29 +05:30 · c432d0147b
commit c432d0147b
parent 55150a79ca
5 changed files with 71 additions and 1 deletions
--- a/Lib/email/_policybase.py
+++ b/Lib/email/_policybase.py
@ -4,6 +4,7 @@ Allows fine grained feature control of how the package parses and emits data.
 """

 import abc
+import re
 from email import header
 from email import charset as _charset
 from email.utils import _has_surrogates
@ -14,6 +15,14 @@ __all__ = [
    'compat32',
    ]

+# validation regex from RFC 5322, equivalent to pattern re.compile("[!-9;-~]+$")
+valid_header_name_re = re.compile("[\041-\071\073-\176]+$")
+
+def validate_header_name(name):
+    # Validate header name according to RFC 5322
+    if not valid_header_name_re.match(name):
+        raise ValueError(
+            f"Header field name contains invalid characters: {name!r}")

 class _PolicyBase:

@ -314,6 +323,7 @@ class Compat32(Policy):
        """+
        The name and value are returned unmodified.
        """
+        validate_header_name(name)
        return (name, value)

    def header_fetch_parse(self, name, value):