bpo-39073: validate Address parts to disallow CRLF#19007
bpo-39073: validate Address parts to disallow CRLF#19007bitdancer merged 8 commits intopython:masterfrom
Conversation
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
epicfaace
left a comment
There was a problem hiding this comment.
I have made the requested changes; please review again
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @bitdancer: please review the changes made to this pull request. |
Lib/email/headerregistry.py
Outdated
|
|
||
| inputs = ''.join(filter(None, (display_name, username, domain, addr_spec))) | ||
| if '\r' in inputs or '\n' in inputs: | ||
| raise ValueError("invalid inputs; address parts cannot contain CR / LF") |
There was a problem hiding this comment.
Hmm. Reading this I think I'd say "arguments" rather than inputs, that aligns better with our typical vocabulary. And how about "CR or LF"?
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @bitdancer: please review the changes made to this pull request. |
bitdancer
left a comment
There was a problem hiding this comment.
Except for the news item text this looks good.
| @@ -0,0 +1 @@ | |||
| Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name). No newline at end of file | |||
There was a problem hiding this comment.
I thought I'd already made this comment but I can't find it:
"DIsallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks."
|
@bitdancer: Please replace |
|
Thanks @epicfaace for the PR, and @bitdancer for merging it 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
GH-19222 is a backport of this pull request to the 3.8 branch. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
GH-19223 is a backport of this pull request to the 3.7 branch. |
|
GH-19224 is a backport of this pull request to the 3.6 branch. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name)
https://bugs.python.org/issue39073