[issue39073] email incorrect handling of crlf in Address objects.

STINNER Victor added the comment: FYI I created https://python-security.readthedocs.io/vuln/email-address-header-injection.html to track fixes of this vulnerability. -- ___ Python tracker

[issue39073] email incorrect handling of crlf in Address objects.

STINNER Victor added the comment: I created PR 20450: backport to 3.5, since it's a security fix. -- versions: +Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.9 ___ Python tracker

[issue39073] email incorrect handling of crlf in Address objects.

Change by STINNER Victor : -- nosy: +vstinner nosy_count: 6.0 -> 7.0 pull_requests: +19704 stage: backport needed -> patch review pull_request: https://github.com/python/cpython/pull/20450 ___ Python tracker

[issue39073] email incorrect handling of crlf in Address objects.

miss-islington added the comment: New changeset a93bf82980d7c02217a088bafa193f32a4d13abb by Miss Islington (bot) in branch '3.7': bpo-39073: validate Address parts to disallow CRLF (GH-19007) https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb --

[issue39073] email incorrect handling of crlf in Address objects.

miss-islington added the comment: New changeset 75635c6095bcfbb9fccc239115d3d03ae20a307f by Miss Islington (bot) in branch '3.8': bpo-39073: validate Address parts to disallow CRLF (GH-19007) https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f --

[issue39073] email incorrect handling of crlf in Address objects.

Cheryl Sabella added the comment: There are 3 open PRs for the backport of this to 3.6, 3.7, and 3.8. It looks like they just need to be approved and miss-islington will take care of the rest. -- nosy: +cheryl.sabella ___ Python tracker

[issue39073] email incorrect handling of crlf in Address objects.

Change by R. David Murray : -- stage: patch review -> backport needed ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue39073] email incorrect handling of crlf in Address objects.

R. David Murray added the comment: Thanks! -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue39073] email incorrect handling of crlf in Address objects.

Change by miss-islington : -- pull_requests: +18585 pull_request: https://github.com/python/cpython/pull/19223 ___ Python tracker ___

[issue39073] email incorrect handling of crlf in Address objects.

Change by miss-islington : -- pull_requests: +18586 pull_request: https://github.com/python/cpython/pull/19224 ___ Python tracker ___

[issue39073] email incorrect handling of crlf in Address objects.

Change by miss-islington : -- nosy: +miss-islington nosy_count: 4.0 -> 5.0 pull_requests: +18584 pull_request: https://github.com/python/cpython/pull/19222 ___ Python tracker

[issue39073] email incorrect handling of crlf in Address objects.

R. David Murray added the comment: New changeset 614f17211c5fc0e5b828be1d3320661d1038fe8f by Ashwin Ramaswami in branch 'master': bpo-39073: validate Address parts to disallow CRLF (#19007) https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f --

[issue39073] email incorrect handling of crlf in Address objects.

R. David Murray added the comment: Thanks for the PR. I've made some review comments. -- ___ Python tracker ___ ___

[issue39073] email incorrect handling of crlf in Address objects.

Change by Ashwin Ramaswami : -- keywords: +patch nosy: +epicfaace nosy_count: 3.0 -> 4.0 pull_requests: +18352 stage: -> patch review pull_request: https://github.com/python/cpython/pull/19007 ___ Python tracker

[issue39073] email incorrect handling of crlf in Address objects.

R. David Murray added the comment: Hmm. Yes, \r\n should be disallowed in the arguments to Address. I thought it already was, so that's a bug. That bug produces the other apparent bug as well: because the X: was treated as a separate line, the previous header did not need double quotes