mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 08:59:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

[3.11] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122608)

Browse source 
Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

Verify that email headers are well-formed.

This should fail for custom fold() implementations that aren't careful
about newlines.

(cherry picked from commit 0976339818)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
This commit is contained in:
Łukasz Langa 2024-09-04 17:37:28 +02:00 committed by GitHub
parent d449caf8a1
commit f7c0f09e69
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 164 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Doc/library/email.errors.rst
View file

@ -58,6 +58,13 @@ The following exception classes are defined in the :mod:`email.errors` module:
:class:`~email.mime.nonmultipart.MIMENonMultipart` (e.g.
:class:`~email.mime.image.MIMEImage`).
.. exception:: HeaderWriteError()
Raised when an error occurs when the :mod:`~email.generator` outputs
headers.
.. exception:: MessageDefect()
This is the base class for all defects found when parsing email messages.

18
Doc/library/email.policy.rst
View file

@ -228,6 +228,24 @@ added matters. To illustrate::
.. versionadded:: 3.6
.. attribute:: verify_generated_headers
If ``True`` (the default), the generator will raise
:exc:`~email.errors.HeaderWriteError` instead of writing a header
that is improperly folded or delimited, such that it would
be parsed as multiple headers or joined with adjacent data.
Such headers can be generated by custom header classes or bugs
in the ``email`` module.
As it's a security feature, this defaults to ``True`` even in the
:class:`~email.policy.Compat32` policy.
For backwards compatible, but unsafe, behavior, it must be set to
``False`` explicitly.
.. versionadded:: 3.11.10
The following :class:`Policy` method is intended to be called by code using
the email library to create policy instances with custom settings: