Skip to content

gh-121650 : detect newlines in headers#121812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
basbloemsaat wants to merge 12 commits into from
Closed

gh-121650 : detect newlines in headers #121812

basbloemsaat wants to merge 12 commits into from

Conversation

@basbloemsaat
Copy link
Contributor

@basbloemsaatbasbloemsaat commented Jul 15, 2024
edited by bedevere-app bot
Loading

@encukou as promised, the fix for this issue.

This PR fixes both issues addressed in the issue, both the newlines at the end as well as the encoded newlines.

As this has security implication, it may need to be backported as well.

@basbloemsaatbasbloemsaat requested a review from a team as a code ownerJuly 15, 2024 19:53
@bedevere-appbedevere-appbot mentioned this pull request Jul 15, 2024
Closed
ZeroIntensity
ZeroIntensity requested changes Jul 15, 2024
View reviewed changes
Copy link
Member

@ZeroIntensityZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to confirm that this PR fixes #121650. The original reproducer still contains the embedded newline:

fromemailimportmessage_from_stringfromemail.policyimportdefaultemail_in="""\To: [email protected]From: External Sender <[email protected]>Subject: Here's an =?UTF-8?Q?embedded_newline=0A?=Content-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableMIME-Version: 1.0<html><head><title>An embeded newline</title></head><body> <p>I sent you an embedded newline in the subject. How do you like that?!</p></body></html>"""msg=message_from_string(email_in, policy=default) msg=message_from_string(email_in, policy=default) forheader, valueinmsg.items(): delmsg[header] msg[header] =valueemail_out=str(msg) print(email_out)

@basbloemsaat
Copy link
ContributorAuthor

basbloemsaat commented Jul 16, 2024
edited
Loading

I wasn't able to confirm that this PR fixes #121650. The original reproducer still contains the embedded newline:
...

I missed headers that were parsed from a message, as in original issue. I updated the fix and the tests.

ZeroIntensity
ZeroIntensity approved these changes Jul 16, 2024
View reviewed changes
Copy link
Member

@ZeroIntensityZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed that this fixes #121650. I'm pretty sure this is a security fix (as you could previously inject email headers using this method), so this should need a backport all the way to 3.8

@encukou
Copy link
Member

encukou commented Jul 16, 2024

@warsaw, @bitdancer, @maxking: as the email experts, do you have any comments?

encukou
encukou previously approved these changes Jul 16, 2024
View reviewed changes
Copy link
Member

@encukouencukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix looks good to me! Thank you for digging into it!

@encukouencukou dismissed their stale reviewJuly 19, 2024 16:06

There's more

@encukou
Copy link
Member

encukou commented Jul 19, 2024

I take back the review. There's more to this, unfortunately :(

Here's another reproducer:

fromemailimportmessage_from_stringfromemail.policyimportdefaultemail_in="""\To: [email protected]From: External Sender <[email protected]> =?UTF-8?Q?embedded_newline=0A?=Smuggled-Data: BadSubject: foo <bar> Here's anContent-Type: text/html; charset=UTF-8Content-Transfer-Encoding: quoted-printableMIME-Version: 1.0<html><head><title>An embeded newline</title></head><body> <p>I sent you an embedded newline in the subject. How do you like that?!</p></body></html>"""msg=message_from_string(email_in, policy=default) print(msg) forheader, valueinmsg.items(): delmsg[header] msg[header] =valueemail_out=str(msg) print(email_out)

@basbloemsaat
Copy link
ContributorAuthor

basbloemsaat commented Jul 19, 2024

I take back the review. There's more to this, unfortunately :(

I'll look into this...

@basbloemsaat
Copy link
ContributorAuthor

basbloemsaat commented Jul 19, 2024
edited
Loading

@encukou I tried all header types. This eliminates all newlines. Two notes:

  • date headers (and derivatives) parse the date, and the offending code is eliminated that way
  • the MIME-Version header doesn't decode the encoded newline, so it doesn't break the message. Improving the parsing of that header would mean rewriting the parsing code to do so, but I think that goes beyond the scope of this ticket.

@encukouencukou mentioned this pull request Jul 24, 2024
Merged
@encukou
Copy link
Member

encukou commented Jul 24, 2024

After reading up on the email module, I propose to fix the issue in a different part of the code: see #122233.

@encukou
Copy link
Member

encukou commented Aug 1, 2024

Closing in favour of #122233.
Thank you for the work here, @basbloemsaat! And sorry that I “stole” the issue.

@encukouencukou closed this Aug 1, 2024
@basbloemsaatbasbloemsaat deleted the fix-issue-121650-detect-newlines-in-headers branch August 1, 2024 15:06
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZeroIntensityZeroIntensityZeroIntensity approved these changes

@encukouencukouAwaiting requested review from encukou

Assignees

No one assigned

Labels

awaiting core review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@basbloemsaat@encukou@ZeroIntensity