bpo-39073: validate Address parts to disallow CRLF (#19007)

Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
2020-03-29 20:38:41 -04:00 · 2020-03-29 20:38:41 -04:00 · 614f17211c
parent 0003c2dc1d
commit 614f17211c
3 changed files with 25 additions and 0 deletions
--- a/Lib/email/headerregistry.py
+++ b/Lib/email/headerregistry.py
@ -31,6 +31,11 @@ class Address:
        without any Content Transfer Encoding.

        """
+
+        inputs = ''.join(filter(None, (display_name, username, domain, addr_spec)))
+        if '\r' in inputs or '\n' in inputs:
+            raise ValueError("invalid arguments; address parts cannot contain CR or LF")
+
        # This clause with its potential 'raise' may only happen when an
        # application program creates an Address object using an addr_spec
        # keyword.  The email library code itself must always supply username
--- a/Lib/test/test_email/test_headerregistry.py
+++ b/Lib/test/test_email/test_headerregistry.py
@ -1437,6 +1437,25 @@ class TestAddressAndGroup(TestEmailBase):
    #    with self.assertRaises(ValueError):
    #        Address('foo', 'wők', 'example.com')

+    def test_crlf_in_constructor_args_raises(self):
+        cases = (
+            dict(display_name='foo\r'),
+            dict(display_name='foo\n'),
+            dict(display_name='foo\r\n'),
+            dict(domain='example.com\r'),
+            dict(domain='example.com\n'),
+            dict(domain='example.com\r\n'),
+            dict(username='wok\r'),
+            dict(username='wok\n'),
+            dict(username='wok\r\n'),
+            dict(addr_spec='wok@example.com\r'),
+            dict(addr_spec='wok@example.com\n'),
+            dict(addr_spec='wok@example.com\r\n')
+        )
+        for kwargs in cases:
+            with self.subTest(kwargs=kwargs), self.assertRaisesRegex(ValueError, "invalid arguments"):
+                Address(**kwargs)
+
    def test_non_ascii_username_in_addr_spec_raises(self):
        with self.assertRaises(ValueError):
            Address('foo', addr_spec='wők@example.com')
--- a/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst
+++ b/Misc/NEWS.d/next/Security/2020-03-15-01-28-36.bpo-39073.6Szd3i.rst
@ -0,0 +1 @@
+Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
				`@ -0,0 +1 @@`
				`Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.`