The following will hang, and consume a large amount of memory:from email.parser import BytesParser, Parserfrom email.policy import defaultpayload = "".join(chr(c) for c in [0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x78, 0x3b, 0x61, 0x72, 0x1b, 0x2a, 0x3d, 0x22, 0x73, 0x4f, 0x27, 0x23, 0x61, 0xff, 0xff, 0x27, 0x5c, 0x22])Parser(policy=default).parsestr(payload)

Sounds like there is an infinite loop here:```Pdb) > /usr/lib/python3.7/email/_header_value_parser.py(2370)get_parameter()-> v.append(token)(Pdb) > /usr/lib/python3.7/email/_header_value_parser.py(2365)get_parameter()-> while value:```the ```v.append(token)``` is just growing with ```ValueTerminal(''), ValueTerminal(''), ValueTerminal('')...```I'd be happy to try to fix this.

Since the parser could take user input this looks like a security issue to me along with high CPU usage. Feel free to remove the tag if it's not a security issue. Thanks.

I'm terribly sorry, but I feel I won't be able to fix this issue. Sorry for fuss. Closing my PR, because it's broken.

>>> bytes([0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x78, 0x3b, 0x61, 0x72, 0x1b, 0x2a, 0x3d, 0x22, 0x73, 0x4f, 0x27, 0x23, 0x61, 0xff, 0xff, 0x27, 0x5c, 0x22])b'Content-Type:x;ar\x1b*="sO\'#a\xff\xff\'\\"'The following loop ofLib/email/_header_value_parser.py does never stop:def get_parameter(value):    """ attribute [section] ["*"] [CFWS] "=" value    The CFWS is implied by the RFC but not made explicit in the BNF.  This    simplified form of the BNF from the RFC is made to conform with the RFC BNF    through some extra checks.  We do it this way because it makes both error    recovery and working with the resulting parse tree easier.    """    ...    if remainder is not None:        ...        while value:            ...Attached reproducer.py is code from initialmsg346953.reproducer2.py simplify the input and calls directly get_parameter(). Simplified input string:   r*="'a'\"

I have proposed a PR for this:https://github.com/python/cpython/pull/14794Reviews are welcome.

I used fuzzing to find this bug. After applying your patch, the infinite loop is gone and it cannot find any other bugs of this nature.

New changeseta4a994bd3e619cbaff97610a1cee8ffa87c672f5 by Barry Warsaw (Abhilash Raj) in branch 'master':bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)https://github.com/python/cpython/commit/a4a994bd3e619cbaff97610a1cee8ffa87c672f5

New changeset391511ccaaf0050970dfbe95bf2df1bcf6c33440 by Miss Islington (bot) in branch '3.7':bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)https://github.com/python/cpython/commit/391511ccaaf0050970dfbe95bf2df1bcf6c33440

New changeset6816ca30af7705db691343100e696ea3d8f447d5 by Miss Islington (bot) in branch '3.8':bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)https://github.com/python/cpython/commit/6816ca30af7705db691343100e696ea3d8f447d5

3.5 also seems to be affected. git cherry pick works and the patch fixes the problem so I assume the backport would be straightforward. Since 3.5 is open for security fixes with 3.5.8 as next release I am adding Larry.$ git cherry-pick a4a994bPerforming inexact rename detection: 100% (566740/566740), done.[detached HEAD9877e9283c]bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) Author: Abhilash Raj <maxking@users.noreply.github.com> Date: Wed Jul 17 09:44:27 2019 -0700 3 files changed, 12 insertions(+) create mode 100644bpo-37461.1Ahz7O.rst">Misc/NEWS.d/next/Security/2019-07-16-08-11-00.bpo-37461.1Ahz7O.rst

New changeset1789bbdd3e03023951a39933ef12dee0a03be616 by Ned Deily (Miss Islington (bot)) in branch '3.6':bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817)https://github.com/python/cpython/commit/1789bbdd3e03023951a39933ef12dee0a03be616

New changeset799e4e527019d9429fdef12d08a0c03b08a1fb59 by Ned Deily (GeeTransit) in branch '3.7':[3.7]bpo-37461: Fix typo (inifite -> infinite) (GH-15430)https://github.com/python/cpython/commit/799e4e527019d9429fdef12d08a0c03b08a1fb59

New changesetf1f9c0c532089824791cfc18e6d6f29e1cd62596 by Ned Deily (GeeTransit) in branch '3.6':[3.6]bpo-37461: Fix typo (inifite -> infinite) (#15432)https://github.com/python/cpython/commit/f1f9c0c532089824791cfc18e6d6f29e1cd62596

xtreak, would you be willing to make the PR for 3.5?  That will make it easier for Larry to decide whether to include it in a 3.5 security release.

I manually created a backport PR for 3.5 and added Larry as a reviewer.https://github.com/python/cpython/pull/15446

New changesetc28e4a5160d3283b12514c7c28ed6e0a2a52271a by larryhastings (Abhilash Raj) in branch '3.5':[3.5]bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (#15446)https://github.com/python/cpython/commit/c28e4a5160d3283b12514c7c28ed6e0a2a52271a

This seems complete, can it be closed?

Thanks everyone for the fixes; I think this bug is now resolved.  Closing.