Matěj Cepl
faa9dd3a19
It is a follow-up to the previous fix of CVE-2024-6923 further encoding EOL possibly hidden in email headers (bsc#1257181).
105 lines
5.1 KiB
Diff
105 lines
5.1 KiB
Diff
From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Fri, 23 Jan 2026 08:59:35 -0600
|
|
Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator
|
|
(cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413)
|
|
|
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
|
Co-authored-by: Denis Ledoux <dle@odoo.com>
|
|
Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
|
|
Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
|
|
Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
|
|
---
|
|
Lib/email/generator.py | 12 +++++++++-
|
|
Lib/test/test_email/test_generator.py | 4 ++-
|
|
Lib/test/test_email/test_policy.py | 6 ++++-
|
|
Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++
|
|
4 files changed, 23 insertions(+), 3 deletions(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
|
|
|
|
Index: Python-3.14.2/Lib/email/generator.py
|
|
===================================================================
|
|
--- Python-3.14.2.orig/Lib/email/generator.py 2026-01-28 22:15:51.075267925 +0100
|
|
+++ Python-3.14.2/Lib/email/generator.py 2026-01-28 22:15:56.251194626 +0100
|
|
@@ -22,6 +22,7 @@
|
|
NLCRE = re.compile(r'\r\n|\r|\n')
|
|
fcre = re.compile(r'^From ', re.MULTILINE)
|
|
NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
|
|
+NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
|
|
|
|
|
|
class Generator:
|
|
@@ -429,7 +430,16 @@
|
|
# This is almost the same as the string version, except for handling
|
|
# strings with 8bit bytes.
|
|
for h, v in msg.raw_items():
|
|
- self._fp.write(self.policy.fold_binary(h, v))
|
|
+ folded = self.policy.fold_binary(h, v)
|
|
+ if self.policy.verify_generated_headers:
|
|
+ linesep = self.policy.linesep.encode()
|
|
+ if not folded.endswith(linesep):
|
|
+ raise HeaderWriteError(
|
|
+ f'folded header does not end with {linesep!r}: {folded!r}')
|
|
+ if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)):
|
|
+ raise HeaderWriteError(
|
|
+ f'folded header contains newline: {folded!r}')
|
|
+ self._fp.write(folded)
|
|
# A blank line always separates headers from body
|
|
self.write(self._NL)
|
|
|
|
Index: Python-3.14.2/Lib/test/test_email/test_generator.py
|
|
===================================================================
|
|
--- Python-3.14.2.orig/Lib/test/test_email/test_generator.py 2026-01-28 22:15:52.693627763 +0100
|
|
+++ Python-3.14.2/Lib/test/test_email/test_generator.py 2026-01-28 22:15:56.251344799 +0100
|
|
@@ -313,7 +313,7 @@
|
|
self.assertEqual(s.getvalue(), self.typ(expected))
|
|
|
|
def test_verify_generated_headers(self):
|
|
- """gh-121650: by default the generator prevents header injection"""
|
|
+ # gh-121650: by default the generator prevents header injection
|
|
class LiteralHeader(str):
|
|
name = 'Header'
|
|
def fold(self, **kwargs):
|
|
@@ -334,6 +334,8 @@
|
|
|
|
with self.assertRaises(email.errors.HeaderWriteError):
|
|
message.as_string()
|
|
+ with self.assertRaises(email.errors.HeaderWriteError):
|
|
+ message.as_bytes()
|
|
|
|
|
|
class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
|
|
Index: Python-3.14.2/Lib/test/test_email/test_policy.py
|
|
===================================================================
|
|
--- Python-3.14.2.orig/Lib/test/test_email/test_policy.py 2026-01-28 22:15:52.703671956 +0100
|
|
+++ Python-3.14.2/Lib/test/test_email/test_policy.py 2026-01-28 22:15:56.251499922 +0100
|
|
@@ -296,7 +296,7 @@
|
|
policy.fold("Subject", subject)
|
|
|
|
def test_verify_generated_headers(self):
|
|
- """Turning protection off allows header injection"""
|
|
+ # Turning protection off allows header injection
|
|
policy = email.policy.default.clone(verify_generated_headers=False)
|
|
for text in (
|
|
'Header: Value\r\nBad: Injection\r\n',
|
|
@@ -319,6 +319,10 @@
|
|
message.as_string(),
|
|
f"{text}\nBody",
|
|
)
|
|
+ self.assertEqual(
|
|
+ message.as_bytes(),
|
|
+ f"{text}\nBody".encode(),
|
|
+ )
|
|
|
|
# XXX: Need subclassing tests.
|
|
# For adding subclassed objects, make sure the usual rules apply (subclass
|
|
Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-01-28 22:15:56.251667056 +0100
|
|
@@ -0,0 +1,4 @@
|
|
+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers
|
|
+that are unsafely folded or delimited; see
|
|
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
|
|
+Bloemsaat and Petr Viktorin in :gh:`121650`).
|