R. David Murray <[email protected]> added the comment:
Not a security issue, no. This isn't C where a stack overflow can give an
attacker a vector for injecting arbitrary code.
Per the Parser contract ("raise no exceptions, only register defects"), this
should, as you say, register a defect
(email.errors.InvalidMultipartContentTransferEncodingDefect) and assume a CTE
of 7bit for the rest of the parsing. The problem here is that the feedparser
is running into the "hack" I put in place in python3.2 for dealing with invalid
binary data in headers (which is to turn it into a Header with charset
unknown-8bit). That works most of the time, but in cases like this it breaks
down :(
Note that the new API (policy=default and friends) handles this without error.
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue36910>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
