-
-
Notifications
You must be signed in to change notification settings - Fork 29.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email Header Injection Protection Bypass #76787
Comments
The protection's implemented in https://github.com/python/cpython/blob/master/Lib/email/header.py to prevent Email Header injection can be bypassed by specifying an injected additional header in the following format: The white space bypasses the current regex protection (_embedded_header = re.compile(r'\n[^ \\t]+:')) and is still accepted by the smtp server. Attached is a proof of concept script |
RFC 5322[1] says that header field's name can't have space in it and the must be immediately followed by the ':' character. Is it common for SMTP servers to accept messages with ' ' before ':'? |
Yes. There's this thing called Postel's Law that says you should be generous in what you accept and careful in what you emit. So most MTAs and MUAs try very hard to guess what a non-RFC-compliant email is trying to say, which includes allowing spaces between the label and the colon (which I believe was legal at least in RFC 822, though I haven't checked). If there's a space in the label, the handling for that is less predictable. The email library's default is to treat that as a non-header line and therefor the start of the body (even if not followed by a blank line). |
Should this be closed as 'not a bug'? |
It seems like the email header injection vulnerability is supposed to be fixed since Python 3.5: https://python-security.readthedocs.io/vuln/http-header-injection.html The problem here is the usage of the generic @warsaw @bitdancer @maxking @giampaolo: Would it be possible to change the default email policy to a stricter policy which reject newline characters? What are the contraints for backward compatibility here? Or is it a documentation issue? |
The regex in email/header.py should be fixed. The fix is pretty simple, just allowing for whitespace to appear before the colon. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: