#5871: protect against header injection attacks.

This makes Header.encode throw a HeaderParseError if it winds up formatting a header such that a continuation line has no leading whitespace and looks like a header. Since Header accepts values containing newlines and preserves them (and this is by design), without this fix any program that took user input (say, a subject in a web form) and passed it to the email package as a header was vulnerable to header injection attacks. (As far as we know this has never been exploited.) Thanks to Jakub Wilk for reporting this vulnerability.

#5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up formatting a header such that a continuation line has no leading whitespace and looks like a header. Since Header accepts values containing newlines and preserves them (and this is by design), without this fix any program that took user input (say, a subject in a web form) and passed it to the email package as a header was vulnerable to header injection attacks. (As far as we know this has never been exploited.) Thanks to Jakub Wilk for reporting this vulnerability.
5b2d9ddf · R. David Murray · e3ee66f1 · 5b2d9ddf · 5b2d9ddf · 5b2d9ddf
Kaydet (Commit) 5b2d9ddf authored Ock 09, 2011 tarafından R. David Murray
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 1 deletion

header.py Lib/email/header.py +9 -1

test_email.py Lib/email/test/test_email.py +12 -0

NEWS Misc/NEWS +7 -0

No files found.
--- a/Lib/email/header.py
+++ b/Lib/email/header.py
@@ -47,6 +47,10 @@ ecre = re.compile(r'''
 # For use with .match()
 fcre = re.compile(r'[\041-\176]+:$')

+# Find a header embeded in a putative header value.  Used to check for
+# header injection attack.
+_embeded_header = re.compile(r'\n[^ \t]+:')
+


 # Helpers
@@ -320,7 +324,11 @@ class Header:
            if len(lines) > 1:
                formatter.newline()
            formatter.add_transition()
-        return formatter._str(linesep)
+        value = formatter._str(linesep)
+        if _embeded_header.search(value):
+            raise HeaderParseError("header value appears to contain "
+                "an embedded header: {!r}".format(value))
+        return value

    def _normalize(self):
        # Step 1: Normalize the chunks so that all runs of identical charsets

--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
@@ -561,6 +561,18 @@ class TestMessageAPI(TestEmailBase):
            "attachment; filename*=utf-8''Fu%C3%9Fballer%20%5Bfilename%5D.ppt",
            msg['Content-Disposition'])

+    # Issue 5871: reject an attempt to embed a header inside a header value
+    # (header injection attack).
+    def test_embeded_header_via_Header_rejected(self):
+        msg = Message()
+        msg['Dummy'] = Header('dummy\nX-Injected-Header: test')
+        self.assertRaises(errors.HeaderParseError, msg.as_string)
+
+    def test_embeded_header_via_string_rejected(self):
+        msg = Message()
+        msg['Dummy'] = 'dummy\nX-Injected-Header: test'
+        self.assertRaises(errors.HeaderParseError, msg.as_string)
+

 # Test the email.encoders module
 class TestEncoders(unittest.TestCase):

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -40,6 +40,13 @@ Core and Builtins
 Library
 -------

+- Issue #5871: email.header.Header.encode now raises an error if any
+  continuation line in the formatted value has no leading white space
+  and looks like a header.  Since Generator uses Header to format all
+  headers, this check is made for all headers in any serialized message
+  at serialization time.  This provides protection against header
+  injection attacks.
+
 - Issue #10859: Make ``contextlib.GeneratorContextManager`` officially
  private by renaming it to ``_GeneratorContextManager``.