cpython/Lib/email
R. David Murray 5b2d9ddf69 #5871: protect against header injection attacks.
This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header.  Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks.  (As far as we know this has never been exploited.)

Thanks to Jakub Wilk for reporting this vulnerability.
2011-01-09 02:35:24 +00:00
..
mime Merged revisions 73004,73439,73496,73509,73529,73564,73576-73577,73595-73596,73605 via svnmerge from 2009-06-28 17:22:03 +00:00
test #5871: protect against header injection attacks. 2011-01-09 02:35:24 +00:00
__init__.py #4661: add bytes parsing and generation to email (email version bump to 5.1.0) 2010-10-08 15:55:28 +00:00
_parseaddr.py #1155362: allow hh:mm:ss-uuuu like we allow hh:mm:ss+uuuu in parsedate_tz 2010-12-23 20:35:46 +00:00
base64mime.py Issue #4770: Restrict binascii module to accept only bytes (as specified). 2010-07-27 21:20:15 +00:00
charset.py #10686: recode non-ASCII headers to 'unknown-8bit' instead of ?s. 2011-01-07 23:25:30 +00:00
encoders.py #4768: store base64 encoded email body parts as text, not binary. 2010-06-04 16:11:08 +00:00
errors.py Copying the email package back, despite its failings. 2007-08-30 01:15:14 +00:00
feedparser.py #4661: add bytes parsing and generation to email (email version bump to 5.1.0) 2010-10-08 15:55:28 +00:00
generator.py Fix the change made for issue 1243654. 2010-12-21 18:07:59 +00:00
header.py #5871: protect against header injection attacks. 2011-01-09 02:35:24 +00:00
iterators.py Patch# 1258 by Christian Heimes: kill basestring. 2007-10-16 18:12:55 +00:00
message.py #10686: recode non-ASCII headers to 'unknown-8bit' instead of ?s. 2011-01-07 23:25:30 +00:00
parser.py Properly close a temporary TextIOWrapper in 'email'. 2010-10-29 23:08:13 +00:00
quoprimime.py #10004: in Q encoded word ignore '=xx' when xx is not valid hex. 2010-10-01 15:40:20 +00:00
utils.py #8989: add 'domain' keyword to make_msgid. 2010-12-02 21:47:19 +00:00