[security] email module incorrect handling of CR and LF newline characters in Address objects.

[jap]

BPO	39073
Nosy	@warsaw, @vstinner, @larryhastings, @ned-deily, @bitdancer, @csabella, @miss-islington, @epicfaace, @jap
PRs	bpo-39073: validate Address parts to disallow CRLF #19007 [3.8] bpo-39073: validate Address parts to disallow CRLF (GH-19007) #19222 [3.7] bpo-39073: validate Address parts to disallow CRLF (GH-19007) #19223 [3.6] bpo-39073: validate Address parts to disallow CRLF (GH-19007) #19224 [3.5] bpo-39073: validate Address parts to disallow CRLF (#19007) #20450

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-07-19.09:42:15.677>
created_at = <Date 2019-12-17.12:46:43.254>
labels = ['type-security', '3.8', 'expert-email', '3.10', '3.7', '3.9']
title = '[security] email module incorrect handling of CR and LF newline characters in Address objects.'
updated_at = <Date 2020-07-19.09:42:15.676>
user = 'https://github.com/jap'

bugs.python.org fields:

activity = <Date 2020-07-19.09:42:15.676>
actor = 'ned.deily'
assignee = 'none'
closed = True
closed_date = <Date 2020-07-19.09:42:15.677>
closer = 'ned.deily'
components = ['email']
creation = <Date 2019-12-17.12:46:43.254>
creator = 'jap'
dependencies = []
files = []
hgrepos = []
issue_num = 39073
keywords = ['patch']
message_count = 14.0
messages = ['358544', '358545', '358572', '364273', '365287', '365288', '369659', '370076', '370077', '370080', '370081', '370151', '371386', '373948']
nosy_count = 9.0
nosy_names = ['barry', 'vstinner', 'larry', 'ned.deily', 'r.david.murray', 'cheryl.sabella', 'miss-islington', 'epicfaace', 'jap']
pr_nums = ['19007', '19222', '19223', '19224', '20450']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue39073'
versions = ['Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

[jap]

big-bob:t spaans$ cat fak.py
import sys

from email.message import EmailMessage
from email.policy import SMTP
from email.headerregistry import Address

msg = EmailMessage(policy=SMTP)

a = Address(display_name='Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>\r\nX:', addr_spec='evil@local')
msg['To'] = a
print(sys.version)
print(msg.as_string())
big-bob:t spaans$ python3.5 fak.py
3.5.2 (default, Jul 16 2019, 13:40:43) 
[GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)]
To: "Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>
X:" <evil@local>

big-bob:t spaans$ python3.8 fak.py
3.8.0 (default, Dec 17 2019, 13:32:18)
[Clang 11.0.0 (clang-1100.0.33.16)]
To: Extra Extra Read All About It This Line Does Not Fit In 80 Characters So
Should Be Wrapped <dev@local>
X: <evil@local>

[jap]

As can be seen above, 3.5 wraps the realname in a double quote, but 3.8 fails to do so. Note that 3.5 also does not add a whitespace in front of the line starting with "X:", so it is also not merged with the previous line when parsing.

I guess we'll have to disallow \r and \n in displaynames for now.

[bitdancer]

Hmm. Yes, \r\n should be disallowed in the arguments to Address. I thought it already was, so that's a bug. That bug produces the other apparent bug as well: because the X: was treated as a separate line, the previous header did not need double quotes so they are no longer added.

So there's no 3.8 specific bug here, but there is a bug.

[bitdancer]

Thanks for the PR. I've made some review comments.

[bitdancer]

New changeset 614f172 by Ashwin Ramaswami in branch 'master':
bpo-39073: validate Address parts to disallow CRLF (bpo-19007)
614f172

[bitdancer]

Thanks!

[csabella]

There are 3 open PRs for the backport of this to 3.6, 3.7, and 3.8. It looks like they just need to be approved and miss-islington will take care of the rest.

[miss-islington]

New changeset 75635c6 by Miss Islington (bot) in branch '3.8':
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
75635c6

[miss-islington]

New changeset a93bf82 by Miss Islington (bot) in branch '3.7':
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
a93bf82

[vstinner]

I created PR 20450: backport to 3.5, since it's a security fix.

[vstinner]

FYI I created https://python-security.readthedocs.io/vuln/email-address-header-injection.html to track fixes of this vulnerability.

[ned-deily]

New changeset 7df32f8 by Miss Islington (bot) in branch '3.6':
bpo-39073: validate Address parts to disallow CRLF (GH-19007) (bpo-19224)
7df32f8

[larryhastings]

New changeset f91a0b6 by Victor Stinner in branch '3.5':
bpo-39073: validate Address parts to disallow CRLF (bpo-19007) (bpo-20450)
f91a0b6

[ned-deily]

Merged for release in 3.9.0a6, 3.8.4, 3.7.8, 3.6.11, and 3.5.10.