Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-39073: validate Address parts to disallow CRLF #19007

Merged
merged 8 commits into from Mar 30, 2020
Merged

bpo-39073: validate Address parts to disallow CRLF #19007

merged 8 commits into from Mar 30, 2020

Conversation

epicfaace
Copy link
Contributor

@epicfaace epicfaace commented Mar 15, 2020
edited by bedevere-bot

Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name)

https://bugs.python.org/issue39073

@epicfaace epicfaace requested a review from a team as a code owner March 15, 2020 01:28
bitdancer
bitdancer requested changes Mar 16, 2020
View reviewed changes
Copy link
Member

@bitdancer bitdancer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Lib/email/headerregistry.py Outdated Show resolved Hide resolved
Lib/test/test_email/test_headerregistry.py Outdated Show resolved Hide resolved
@bedevere-bot
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

epicfaace
epicfaace commented Mar 16, 2020
View reviewed changes
Copy link
Contributor Author

@epicfaace epicfaace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have made the requested changes; please review again

@epicfaace
Copy link
Contributor Author

I have made the requested changes; please review again

@bedevere-bot
Copy link

Thanks for making the requested changes!

@bitdancer: please review the changes made to this pull request.

bitdancer
bitdancer requested changes Mar 16, 2020
View reviewed changes
Lib/email/headerregistry.py Outdated

inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
if '\r' in inputs or '\n' in inputs:
raise ValueError("invalid inputs; address parts cannot contain CR / LF")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. Reading this I think I'd say "arguments" rather than inputs, that aligns better with our typical vocabulary. And how about "CR or LF"?

Lib/test/test_email/test_headerregistry.py Show resolved Hide resolved
@bedevere-bot
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@epicfaace
Copy link
Contributor Author

I have made the requested changes; please review again

@bedevere-bot
Copy link

Thanks for making the requested changes!

@bitdancer: please review the changes made to this pull request.

bitdancer
bitdancer requested changes Mar 16, 2020
View reviewed changes
Copy link
Member

@bitdancer bitdancer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Except for the news item text this looks good.

Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst Outdated
@@ -0,0 +1 @@
Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I'd already made this comment but I can't find it:

"DIsallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks."

@bitdancer bitdancer merged commit 614f172 into python:master Mar 30, 2020
@bedevere-bot
Copy link

@bitdancer: Please replace # with GH- in the commit message next time. Thanks!

@miss-islington
Copy link
Contributor

Thanks @epicfaace for the PR, and @bitdancer for merging it 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Mar 30, 2020
@epicfaace @miss-islington
bpo-39073: validate Address parts to disallow CRLF (pythonGH-19007)
1f49bfb 
 Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
@bedevere-bot
Copy link

GH-19222 is a backport of this pull request to the 3.8 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.8 only security fixes label Mar 30, 2020
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Mar 30, 2020
@epicfaace @miss-islington
bpo-39073: validate Address parts to disallow CRLF (pythonGH-19007)
6c95a89 
 Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
@bedevere-bot
Copy link

GH-19223 is a backport of this pull request to the 3.7 branch.

@bedevere-bot
Copy link

GH-19224 is a backport of this pull request to the 3.6 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Mar 30, 2020
@epicfaace @miss-islington
bpo-39073: validate Address parts to disallow CRLF (pythonGH-19007)
b0041a9 
 Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
miss-islington added a commit that referenced this pull request May 27, 2020
@miss-islington @epicfaace
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
75635c6 
 Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
miss-islington added a commit that referenced this pull request May 27, 2020
@miss-islington @epicfaace
bpo-39073: validate Address parts to disallow CRLF (GH-19007)
a93bf82 
 Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
@epicfaace epicfaace deleted the val-address branch May 27, 2020 15:11
ned-deily pushed a commit that referenced this pull request May 27, 2020
@miss-islington @epicfaace
bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
7df32f8 
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
larryhastings pushed a commit that referenced this pull request Jun 12, 2020
@vstinner
bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450)
f91a0b6 
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

(cherry picked from commit 614f172)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bitdancer bitdancer bitdancer approved these changes

Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@epicfaace @bedevere-bot @miss-islington @bitdancer @the-knights-who-say-ni