Issue 39073: [security] email module incorrect handling of CR and LF newline characters in Address objects. [proxy]

The Wayback Machine - https://web.archive.org/web/20210306185924/https://bugs.python.org/issue39073

Issue39073

classification

Title:	[security] email module incorrect handling of CR and LF newline characters in Address objects.
Type:	security	Stage:	resolved
Components:	email	Versions:	Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	barry, cheryl.sabella, epicfaace, jap, larry, miss-islington, ned.deily, r.david.murray, vstinner
Priority:	normal	Keywords:	patch

Created on 2019-12-17 12:46 by jap, last changed 2020-07-19 09:42 by ned.deily. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 19007	merged	epicfaace, 2020-03-15 01:28
PR 19222	merged	miss-islington, 2020-03-30 00:39
PR 19223	merged	miss-islington, 2020-03-30 00:39
PR 19224	merged	miss-islington, 2020-03-30 00:39
PR 20450	merged	vstinner, 2020-05-27 13:47

Messages (14)
msg358544 - (view)	Author: Jasper Spaans (jap) *	Date: 2019-12-17 12:46
big-bob:t spaans$ cat fak.py import sys from email.message import EmailMessage from email.policy import SMTP from email.headerregistry import Address msg = EmailMessage(policy=SMTP) a = Address(display_name='Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local>\r\nX:', addr_spec='evil@local') msg['To'] = a print(sys.version) print(msg.as_string()) big-bob:t spaans$ python3.5 fak.py 3.5.2 (default, Jul 16 2019, 13:40:43) [GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)] To: "Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local> X:" <evil@local> big-bob:t spaans$ python3.8 fak.py 3.8.0 (default, Dec 17 2019, 13:32:18) [Clang 11.0.0 (clang-1100.0.33.16)] To: Extra Extra Read All About It This Line Does Not Fit In 80 Characters So Should Be Wrapped <dev@local> X: <evil@local>
msg358545 - (view)	Author: Jasper Spaans (jap) *	Date: 2019-12-17 12:50
As can be seen above, 3.5 wraps the realname in a double quote, but 3.8 fails to do so. Note that 3.5 also does not add a whitespace in front of the line starting with "X:", so it is also not merged with the previous line when parsing. I guess we'll have to disallow \r and \n in displaynames for now.
msg358572 - (view)	Author: R. David Murray (r.david.murray) *	Date: 2019-12-17 20:24
Hmm. Yes, \r\n should be disallowed in the arguments to Address. I thought it already was, so that's a bug. That bug produces the other apparent bug as well: because the X: was treated as a separate line, the previous header did not need double quotes so they are no longer added. So there's no 3.8 specific bug here, but there is a bug.
msg364273 - (view)	Author: R. David Murray (r.david.murray) *	Date: 2020-03-16 01:00
Thanks for the PR. I've made some review comments.
msg365287 - (view)	Author: R. David Murray (r.david.murray) *	Date: 2020-03-30 00:38
New changeset 614f17211c5fc0e5b828be1d3320661d1038fe8f by Ashwin Ramaswami in branch 'master': bpo-39073: validate Address parts to disallow CRLF (#19007) https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f
msg365288 - (view)	Author: R. David Murray (r.david.murray) *	Date: 2020-03-30 00:40
Thanks!
msg369659 - (view)	Author: Cheryl Sabella (cheryl.sabella) *	Date: 2020-05-22 22:20
There are 3 open PRs for the backport of this to 3.6, 3.7, and 3.8. It looks like they just need to be approved and miss-islington will take care of the rest.
msg370076 - (view)	Author: miss-islington (miss-islington)	Date: 2020-05-27 13:37
New changeset 75635c6095bcfbb9fccc239115d3d03ae20a307f by Miss Islington (bot) in branch '3.8': bpo-39073: validate Address parts to disallow CRLF (GH-19007) https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f
msg370077 - (view)	Author: miss-islington (miss-islington)	Date: 2020-05-27 13:38
New changeset a93bf82980d7c02217a088bafa193f32a4d13abb by Miss Islington (bot) in branch '3.7': bpo-39073: validate Address parts to disallow CRLF (GH-19007) https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb
msg370080 - (view)	Author: STINNER Victor (vstinner) *	Date: 2020-05-27 13:48
I created PR 20450: backport to 3.5, since it's a security fix.
msg370081 - (view)	Author: STINNER Victor (vstinner) *	Date: 2020-05-27 13:49
FYI I created https://python-security.readthedocs.io/vuln/email-address-header-injection.html to track fixes of this vulnerability.
msg370151 - (view)	Author: Ned Deily (ned.deily) *	Date: 2020-05-27 23:17
New changeset 7df32f844efed33ca781a016017eab7050263b90 by Miss Islington (bot) in branch '3.6': bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224) https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90
msg371386 - (view)	Author: Larry Hastings (larry) *	Date: 2020-06-12 15:33
New changeset f91a0b6df14d6c5133fe3d5889fad7d84fc0c046 by Victor Stinner in branch '3.5': bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450) https://github.com/python/cpython/commit/f91a0b6df14d6c5133fe3d5889fad7d84fc0c046
msg373948 - (view)	Author: Ned Deily (ned.deily) *	Date: 2020-07-19 09:42
Merged for release in 3.9.0a6, 3.8.4, 3.7.8, 3.6.11, and 3.5.10.

History
Date	User	Action	Args
2020-07-19 09:42:15	ned.deily	set	status: open -> closed resolution: fixed messages: + msg373948 stage: patch review -> resolved
2020-06-12 15:33:26	larry	set	nosy: + larry messages: + msg371386
2020-05-27 23:17:58	ned.deily	set	nosy: + ned.deily messages: + msg370151
2020-05-27 13:49:40	vstinner	set	title: email incorrect handling of crlf in Address objects. -> [security] email module incorrect handling of CR and LF newline characters in Address objects.
2020-05-27 13:49:21	vstinner	set	messages: + msg370081
2020-05-27 13:48:27	vstinner	set	messages: + msg370080 versions: + Python 3.5, Python 3.6, Python 3.7, Python 3.9, Python 3.10
2020-05-27 13:47:46	vstinner	set	nosy: + vstinner pull_requests: + pull_request19704 stage: backport needed -> patch review
2020-05-27 13:38:18	miss-islington	set	messages: + msg370077
2020-05-27 13:37:47	miss-islington	set	messages: + msg370076
2020-05-22 22:20:39	cheryl.sabella	set	nosy: + cheryl.sabella messages: + msg369659
2020-03-30 00:40:26	r.david.murray	set	stage: patch review -> backport needed
2020-03-30 00:40:01	r.david.murray	set	messages: + msg365288
2020-03-30 00:39:30	miss-islington	set	pull_requests: + pull_request18586
2020-03-30 00:39:21	miss-islington	set	pull_requests: + pull_request18585
2020-03-30 00:39:12	miss-islington	set	nosy: + miss-islington pull_requests: + pull_request18584
2020-03-30 00:38:47	r.david.murray	set	messages: + msg365287
2020-03-16 01:00:29	r.david.murray	set	messages: + msg364273
2020-03-15 01:28:02	epicfaace	set	keywords: + patch nosy: + epicfaace pull_requests: + pull_request18352 stage: patch review
2019-12-17 20:24:21	r.david.murray	set	messages: + msg358572 title: email regression in 3.8: folding -> email incorrect handling of crlf in Address objects.
2019-12-17 12:50:18	jap	set	messages: + msg358545
2019-12-17 12:46:43	jap	create