gh-80222: Fix email address header folding with long quoted-string #122753
Conversation
Email generators using email.policy.default could incorrectly omit the
quote ('"') characters from a quoted-string during header refolding,
leading to invalid address headers and enabling header spoofing. This
change restores the quote characters on a bare-quoted-string as the
header is refolded, and escapes backslash and quote chars in the string.
|
Requesting a review from @bitdancer (who probably knows the most about this code, and was actively involved in the discussion on the original report five years ago). (See also PR #122754 which aims to fix a similar security issue with encoded-words.) |
This comment was marked as outdated.
This comment was marked as outdated.
Misc/NEWS.d/next/Security/2024-08-06-11-43-08.gh-issue-80222.wfR4BU.rst
Outdated
Show resolved
Hide resolved
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
I have made the requested changes; please review again. @bitdancer thanks for the review! |
|
Thanks for making the requested changes! @bitdancer, @encukou: please review the changes made to this pull request. |
|
@encukou and @bitdancer thanks for the reviews. Any chance you could also look at the related PR #122754, which fixes a similar problem in refolding rfc2047 encoded-words? |
|
Sure, I've added it to my list. I'm finally back to contributing more actively after years away, but it may still take me a while to get to it ;) |
|
Thanks @medmunds for the PR, and @bitdancer for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13. |
…ing (pythonGH-122753) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string. (cherry picked from commit 5aaf416) Co-authored-by: Mike Edmunds <medmunds@gmail.com>
…ing (pythonGH-122753) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string. (cherry picked from commit 5aaf416) Co-authored-by: Mike Edmunds <medmunds@gmail.com>
|
GH-129007 is a backport of this pull request to the 3.13 branch. |
…ing (pythonGH-122753) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string. (cherry picked from commit 5aaf416) Co-authored-by: Mike Edmunds <medmunds@gmail.com>
|
GH-129008 is a backport of this pull request to the 3.12 branch. |
|
Sorry, @medmunds and @bitdancer, I could not cleanly backport this to |
|
GH-129009 is a backport of this pull request to the 3.11 branch. |
|
Sorry, @medmunds and @bitdancer, I could not cleanly backport this to |
…ring (GH-122753) (#129007) gh-80222: Fix email address header folding with long quoted-string (GH-122753) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string. (cherry picked from commit 5aaf416) Co-authored-by: Mike Edmunds <medmunds@gmail.com>
…ring (GH-122753) (#129008) gh-80222: Fix email address header folding with long quoted-string (GH-122753) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string. (cherry picked from commit 5aaf416) Co-authored-by: Mike Edmunds <medmunds@gmail.com>
|
GH-129111 is a backport of this pull request to the 3.10 branch. |
…ing (python#122753) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string.
Fixes #80222 (bpo-36041).
Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string.
Fix is adapted from PR #12054.
[This fixes a #security-issue. PSRT instructed me to handle the fix publicly.]