python · bitdancer · Mar 30, 2020 · Mar 15, 2020 · Mar 15, 2020 · Mar 16, 2020
diff --git a/Lib/email/headerregistry.py b/Lib/email/headerregistry.py
@@ -31,6 +31,11 @@ def __init__(self, display_name='', username='', domain='', addr_spec=None):
         without any Content Transfer Encoding.
 
         """
+
+        inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
+        if '\r' in inputs or '\n' in inputs:
+            raise ValueError("invalid inputs; address parts cannot contain CR / LF")
+
         # This clause with its potential 'raise' may only happen when an
         # application program creates an Address object using an addr_spec
         # keyword.  The email library code itself must always supply username
@@ -48,6 +53,7 @@ def __init__(self, display_name='', username='', domain='', addr_spec=None):
                 raise a_s.all_defects[0]
             username = a_s.local_part
             domain = a_s.domain
+
         self._display_name = display_name
         self._username = username
         self._domain = domain
@@ -99,7 +105,6 @@ def __eq__(self, other):
                 self.username == other.username and
                 self.domain == other.domain)
 
-
 class Group:
 
     def __init__(self, display_name=None, addresses=None):

diff --git a/Lib/test/test_email/test_headerregistry.py b/Lib/test/test_email/test_headerregistry.py
@@ -1437,6 +1437,22 @@ def test_il8n(self):
     #    with self.assertRaises(ValueError):
     #        Address('foo', 'wők', 'example.com')
 
+    def test_crlf_in_constructor_args_raises(self):
+        cases = (
+            dict(display_name='example.com\r'),
+            dict(display_name='example.com\n'),
+            dict(display_name='example.com\r\n'),
+            dict(username='wok\r'),
+            dict(username='wok\n'),
+            dict(username='wok\r\n'),
+            dict(addr_spec='wok@example.com\r'),
+            dict(addr_spec='wok@example.com\n'),
+            dict(addr_spec='wok@example.com\r\n')
+        )
+        for kwargs in cases:
+            with self.subTest(kwargs=kwargs), self.assertRaisesRegex(ValueError, "invalid inputs"):
+                Address(**kwargs)
+
     def test_non_ascii_username_in_addr_spec_raises(self):
         with self.assertRaises(ValueError):
             Address('foo', addr_spec='wők@example.com')

diff --git a/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst b/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst
@@ -0,0 +1 @@
+Validate email.headerregistry.Address to disallow CRLF in address parts (username, domain, display_name).