NotificationsYou must be signed in to change notification settings
Fork32.4k
Star67.9k

gh-121650 : detect newlines in headers#121812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Closed

basbloemsaat wants to merge12 commits intopython:mainfrombasbloemsaat:fix-issue-121650-detect-newlines-in-headers

Closed

gh-121650 : detect newlines in headers#121812

basbloemsaat wants to merge12 commits intopython:mainfrombasbloemsaat:fix-issue-121650-detect-newlines-in-headers

Conversation

Copy link

Contributor

basbloemsaat commentedJul 15, 2024•
edited by bedevere-appbot
Loading

@encukou as promised, the fix for this issue.

This PR fixes both issues addressed in the issue, both the newlines at the end as well as the encoded newlines.

As this has security implication, it may need to be backported as well.

Issue:email.policy.default - gotcha with re-using parsed headers with embedded newlines #121650

basbloemsaat added2 commits

July 14, 2024 14:31

detect line splits, also at the end

d3ca18a

also detect encoded newlines

891d4f8

basbloemsaat requested a review froma team as acode owner

July 15, 2024 19:53

bedevere-appbot mentioned this pull request

Jul 15, 2024

email.policy.default - gotcha with re-using parsed headers with embedded newlines#121650

Closed

bedevere-appbot added the awaiting review label

Jul 15, 2024

Merge branch 'main' into fix-issue-121650-detect-newlines-in-headers

67d4121

ZeroIntensity requested changes

Jul 15, 2024

View reviewed changes

Copy link

Member

ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I wasn't able to confirm that this PR fixes#121650. The original reproducer still contains the embedded newline:

fromemailimportmessage_from_stringfromemail.policyimportdefaultemail_in="""\To: incoming+tag@me.example.comFrom: External Sender <sender@them.example.com>Subject: Here's an =?UTF-8?Q?embedded_newline=0A?=Content-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableMIME-Version: 1.0<html><head><title>An embeded newline</title></head><body>  <p>I sent you an embedded newline in the subject. How do you like that?!</p></body></html>"""msg=message_from_string(email_in,policy=default)msg=message_from_string(email_in,policy=default)forheader,valueinmsg.items():delmsg[header]msg[header]=valueemail_out=str(msg)print(email_out)

Lib/email/policy.py OutdatedShow resolvedHide resolved

Misc/NEWS.d/next/Library/2024-07-15-21-43-38.gh-issue-121650.A0FkCh.rst OutdatedShow resolvedHide resolved

Misc/NEWS.d/next/Library/2024-07-15-21-43-38.gh-issue-121650.A0FkCh.rstShow resolvedHide resolved

bedevere-appbot added awaiting core review and removed awaiting review labels

Jul 15, 2024

basbloemsaatand others added4 commits

July 16, 2024 09:36

Update Lib/email/policy.py

62ceb40

Co-authored-by: Peter Bierma <zintensitydev@gmail.com>

Update Misc/NEWS.d/next/Library/2024-07-15-21-43-38.gh-issue-121650.A…

aa4fd24

…0FkCh.rstCo-authored-by: Peter Bierma <zintensitydev@gmail.com>

also check parsed headers for newlines and returns

23fdf74

More specific update blurb

d210941

Copy link

ContributorAuthor

basbloemsaat commentedJul 16, 2024•
edited
Loading

I wasn't able to confirm that this PR fixes#121650. The original reproducer still contains the embedded newline:
...

I missed headers that were parsed from a message, as in original issue. I updated the fix and the tests.

basbloemsaat requested a review fromZeroIntensity

July 16, 2024 09:13

Merge branch 'main' into fix-issue-121650-detect-newlines-in-headers

118c709

ZeroIntensity approved these changes

Jul 16, 2024

View reviewed changes

Copy link

Member

ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Confirmed that this fixes#121650. I'm pretty sure this is a security fix (as you could previously inject email headers using this method), so this should need a backport all the way to 3.8

Copy link

Member

encukou commentedJul 16, 2024

@warsaw,@bitdancer,@maxking: as theemail experts, do you have any comments?

encukou previously approved these changes

Jul 16, 2024

View reviewed changes

Copy link

Member

encukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The fix looks good to me! Thank you for digging into it!

bedevere-appbot added awaiting merge and removed awaiting core review labels

Jul 16, 2024

encukou dismissed theirstale review

July 19, 2024 16:06

There's more

bedevere-appbot added awaiting core review and removed awaiting merge labels

Jul 19, 2024

Copy link

Member

encukou commentedJul 19, 2024

I take back the review. There's more to this, unfortunately :(

Here's another reproducer:

fromemailimportmessage_from_stringfromemail.policyimportdefaultemail_in="""\To: incoming+tag@me.example.comFrom: External Sender <sender@them.example.com>  =?UTF-8?Q?embedded_newline=0A?=Smuggled-Data: BadSubject: foo <bar> Here's anContent-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableMIME-Version: 1.0<html><head><title>An embeded newline</title></head><body>  <p>I sent you an embedded newline in the subject. How do you like that?!</p></body></html>"""msg=message_from_string(email_in,policy=default)print(msg)forheader,valueinmsg.items():delmsg[header]msg[header]=valueemail_out=str(msg)print(email_out)

Copy link

ContributorAuthor

basbloemsaat commentedJul 19, 2024

I take back the review. There's more to this, unfortunately :(

I'll look into this...

basbloemsaat added3 commits

July 19, 2024 19:28

Merge branch 'main' into fix-issue-121650-detect-newlines-in-headers

08e5fe1

Merge branch 'fix-issue-121650-detect-newlines-in-headers' of github.…

c5e9264

…com:basbloemsaat/cpython into fix-issue-121650-detect-newlines-in-headers

check all headers for newlines

5a163b5

basbloemsaat requested a review fromencukou

July 19, 2024 22:07

Copy link

ContributorAuthor

basbloemsaat commentedJul 19, 2024•
edited
Loading

@encukou I tried all header types. This eliminates all newlines. Two notes:

date headers (and derivatives) parse the date, and the offending code is eliminated that way
the MIME-Version header doesn't decode the encoded newline, so it doesn't break the message. Improving the parsing of that header would mean rewriting the parsing code to do so, but I think that goes beyond the scope of this ticket.