Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
gh-121284: Fix email address header folding with parsed encoded-word#122754
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
…-wordEmail generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.
Requesting a review from@serhiy-storchaka, who recently reviewed a similar security fix around encoded words in email headers (#122233). And pinging@bitdancer, who probably knows the most about this section of the code. (Also hoping both of you might be able to review PR#122753, which tries to fix a related security issue first reported 5 years ago.) |
(A nicer fix would be to decide separately whether each refolded segment needs rfc2047 encoding, quoted-string handling, or no special treatment. But that would require giving _refold_parse_tree() info about whether it's working in a structured or unstructured header, which seems too involved for a security patch.) |
ContributorAuthor
medmunds commentedJan 19, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Btw, although this may seem like it's too obscure to matter much, it's actually pretty easy to stumble into vulnerable code. E.g., calling email.utils.formataddr() (correctly!) with user-supplied content can generate exactly the sort of (valid) encoded-word that gets mishandled by email.policy.default. |
encukou approved these changesFeb 27, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
By my reading of the code, this is correct.
I'd appreciate an additional review from an email expert, but, if there are no objections I plat to merge this next week.
Please give me another day to look at this before you merge. I think it's fine, but there are a couple things I want to check. |
OK, there is actually a pretty straightforward solution to this problem, and the functionality is better: At this point I no longer remember what 'vtext' was supposed to stand for, but 'utext' is obviously 'unstructured text token' ;) The documentation of these bits of the code could use some improvement (not to mention the code itself!), but this fixes the problem pretty much in the way the original code was intended to work, if we imagine that the failure to check whether or not we were dealing with structured text was a bug as opposed to me forgetting about the distinction ;) |
… encoded-word[Better fix from@bitdancer.]Co-authored-by: R David Murray <rdmurray@bitdance.com>
Nice! That feels much better, and allows unencoding encoded-words in refolding when it's safe. I've updated the PR with your change. |
bitdancer approved these changesMar 6, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestMar 18, 2025
…-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
GH-131403 is a backport of this pull request to the3.13 branch. |
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestMar 18, 2025
…-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
GH-131404 is a backport of this pull request to the3.12 branch. |
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestMar 18, 2025
…-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
Sorry,@medmunds and@encukou, I could not cleanly backport this to |
GH-131405 is a backport of this pull request to the3.11 branch. |
Sorry,@medmunds and@encukou, I could not cleanly backport this to |
encukou added a commit to encukou/cpython that referenced this pull requestMar 18, 2025
…encoded-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
encukou added a commit to encukou/cpython that referenced this pull requestMar 18, 2025
…encoded-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
GH-131411 is a backport of this pull request to the3.10 branch. |
encukou added a commit to encukou/cpython that referenced this pull requestMar 18, 2025
…ncoded-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
encukou added a commit to encukou/cpython that referenced this pull requestMar 18, 2025
…ncoded-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
encukou added a commit to encukou/cpython that referenced this pull requestMar 18, 2025
…ncoded-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
GH-131412 is a backport of this pull request to the3.9 branch. |
bitdancer added a commit that referenced this pull requestMar 18, 2025
…d-word (GH-122754) (#131403)gh-121284: Fix email address header folding with parsed encoded-word (GH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
bitdancer added a commit that referenced this pull requestMar 18, 2025
…d-word (GH-122754) (#131404)gh-121284: Fix email address header folding with parsed encoded-word (GH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------(cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
colesbury pushed a commit to colesbury/cpython that referenced this pull requestMar 20, 2025
…-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
ambv pushed a commit that referenced this pull requestApr 3, 2025
…d-word (GH-122754) (GH-131405)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.](cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
ambv pushed a commit that referenced this pull requestApr 3, 2025
…d-word (GH-122754) (GH-131411)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.](cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>
ambv pushed a commit that referenced this pull requestApr 3, 2025
…-word (GH-122754) (GH-131412)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.](cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>
gentoo-bot pushed a commit to gentoo/cpython that referenced this pull requestApr 9, 2025
…ncoded-word (pythonGH-122754) (pythonGH-131412)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.](cherry picked from commit295b53d)Co-authored-by: Mike Edmunds <medmunds@gmail.com>Co-authored-by: R David Murray <rdmurray@bitdance.com>
seehwan pushed a commit to seehwan/cpython that referenced this pull requestApr 16, 2025
…-word (pythonGH-122754)Email generators using email.policy.default may convert an RFC 2047encoded-word to unencoded form during header refolding. In a structuredheader, this could allow 'specials' chars outside a quoted-string,leading to invalid address headers and enabling spoofing. This changeensures a parsed encoded-word that contains specials is kept as anencoded-word while the header is refolded.[Better fix from@bitdancer.]---------Co-authored-by: R David Murray <rdmurray@bitdance.com>Co-authored-by: Petr Viktorin <encukou@gmail.com>
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
Fixes#121284.
[This fixes a #security-issue. PSRT instructed me to handle the fix publicly.]
Email generators using email.policy.default may convert an RFC 2047 encoded-word to unencoded form during header refolding. In a structured header, this could allow 'specials' chars outside a quoted-string, leading to invalid address headers and enabling spoofing. This change ensures a parsed encoded-word that contains specials is kept as an encoded-word while the header is refolded.
The issue is very similar to PR#122753 (and has the same security implications), but this PR involves refolding an encoded-word; the other PR involves refolding a quoted-string. The fixes required are different.