bpo-39073: validate Address parts to disallow CRLF #19007
Conversation
Thanks for the PR.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
I have made the requested changes; please review again
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @bitdancer: please review the changes made to this pull request. |
Lib/email/headerregistry.py
Outdated
|
|
||
| inputs = ''.join(filter(None, (display_name, username, domain, addr_spec))) | ||
| if '\r' in inputs or '\n' in inputs: | ||
| raise ValueError("invalid inputs; address parts cannot contain CR / LF") |
Hmm. Reading this I think I'd say "arguments" rather than inputs, that aligns better with our typical vocabulary. And how about "CR or LF"?
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @bitdancer: please review the changes made to this pull request. |
Except for the news item text this looks good.
| @@ -0,0 +1 @@ | |||
| Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name). | |||
I thought I'd already made this comment but I can't find it:
"DIsallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks."
|
@bitdancer: Please replace |
|
Thanks @epicfaace for the PR, and @bitdancer for merging it |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
GH-19222 is a backport of this pull request to the 3.8 branch. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
GH-19223 is a backport of this pull request to the 3.7 branch. |
|
GH-19224 is a backport of this pull request to the 3.6 branch. |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172)
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name)
https://bugs.python.org/issue39073
The text was updated successfully, but these errors were encountered: