Commit Graph

6 Commits

Author SHA1 Message Date
R. David Murray d97f5ce377 Merged revisions 87873 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r87873 | r.david.murray | 2011-01-08 21:35:24 -0500 (Sat, 08 Jan 2011) | 12 lines

  #5871: protect against header injection attacks.

  This makes Header.encode throw a HeaderParseError if it winds up
  formatting a header such that a continuation line has no leading
  whitespace and looks like a header.  Since Header accepts values
  containing newlines and preserves them (and this is by design), without
  this fix any program that took user input (say, a subject in a web form)
  and passed it to the email package as a header was vulnerable to header
  injection attacks.  (As far as we know this has never been exploited.)

  Thanks to Jakub Wilk for reporting this vulnerability.
........
2011-01-09 03:02:04 +00:00
R. David Murray 75a292e5be Merged revisions 83690 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r83690 | r.david.murray | 2010-08-03 18:14:10 -0400 (Tue, 03 Aug 2010) | 10 lines

  #3196: if needed pad a short base64 encoded word before trying to decode.

  The RFCs encourage following Postel's law: be liberal in what you accept.
  So if someone forgot to pad the base64 encoded word payload to an
  even four bytes, we add the padding before handing it to base64mime.decode.
  Previously, missing padding resulted in a HeaderParseError.

  Patch by Jason Williams.
........
2010-08-04 00:05:50 +00:00
Amaury Forgeot d'Arc 74b8d333b7 #2622 Import errors in email.message, from a py2app standalone application.
Patch by Mads Kiilerich, Reviewed by Barry Warsaw.
2009-07-11 14:33:51 +00:00
Brett Cannon 1f571c6e60 Remove Barry's love of deprecated syntax to silence warnings in the email
package, when run under -3, about using <>.
2008-08-03 23:27:32 +00:00
Barry Warsaw dcd24ae501 SF bug #1582282; decode_header() incorrectly splits not-conformant RFC
2047-like headers where there is no whitespace between encoded words.  This
fix changes the matching regexp to include a trailing lookahead assertion that
the closing ?= must be followed by whitespace, newline, or end-of-string.
This also changes the regexp to add the MULTILINE flag.
2007-03-14 04:59:50 +00:00
Barry Warsaw 40ef0067ad Merge email package 4.0 from the sandbox, including documentation, test cases,
and NEWS updates.
2006-03-18 15:41:53 +00:00