New submission from Alessandro Vesely: Comments are allowed almost everywhere in an email message, and should be eliminated before attributing any meaning to a field. In the words of RFC5322, any CRLF that appears in FWS is semantically "invisible".
In particular, some note that comments can be used to deceive an email filter. For example, like so: Content-Disposition: attachment; filename=''attached%2E"; filename*1*="%62"; filename*2=(fool filters)at (I don't know which, if any, email clients would execute that batch...) Anyway, removing comments is needed for any structured header field. One is usually interested in the unfolded, de-commented value. It is difficult to do correctly, because of nesting and quoting possibilities. This issue seems to be ignored, except for address lists (there is a getcomment() member in AddrlistClass). Why? ---------- components: email messages: 287119 nosy: ale2017, barry, r.david.murray priority: normal severity: normal status: open title: RFC822-comments in email header fields can fool, e.g., get_filename() type: behavior versions: Python 2.7 _______________________________________ Python tracker <[email protected]> <http://bugs.python.org/issue29462> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
