subject:"\[issue32606\] Email Header Injection Protection Bypass"

[issue32606] Email Header Injection Protection Bypass

2018-09-29 Thread Cheryl Sabella



Cheryl Sabella  added the comment:

Should this be closed as 'not a bug'?

--
nosy: +cheryl.sabella

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32606] Email Header Injection Protection Bypass

2018-01-27 Thread R. David Murray


R. David Murray  added the comment:

Yes.

There's this thing called Postel's Law that says you should be generous in what 
you accept and careful in what you emit.  So most MTAs and MUAs try very hard 
to guess what a non-RFC-compliant email is trying to say, which includes 
allowing spaces between the label and the colon (which I believe was legal at 
least in RFC 822, though I haven't checked).  If there's a space in the label, 
the handling for that is less predictable.  The email library's default is to 
treat that as a non-header line and therefor the start of the body (even if not 
followed by a blank line).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32606] Email Header Injection Protection Bypass

2018-01-27 Thread Nitish


Nitish  added the comment:

RFC 5322[1] says that header field's name can't have space in it and the must 
be immediately followed by the ':' character.

Is it common for SMTP servers to accept messages with ' ' before ':'?


[1] https://tools.ietf.org/html/rfc5322#section-2.2

--
nosy: +nitishch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32606] Email Header Injection Protection Bypass

2018-01-20 Thread Dalton Campbell


Change by Dalton Campbell :


--
nosy: +barry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32606] Email Header Injection Protection Bypass

2018-01-20 Thread Dalton Campbell


New submission from Dalton Campbell :

The protection's implemented in 
https://github.com/python/cpython/blob/master/Lib/email/header.py to prevent 
Email Header injection can be bypassed by specifying an injected additional 
header in the following format:
exam...@python.org\ncc :injec...@python.org

The white space bypasses the current regex protection (_embedded_header = 
re.compile(r'\n[^ \t]+:')) and is still accepted by the smtp server. 

Attached is a proof of concept script

--
components: Library (Lib)
files: PythonEmailHeaderInjectionPOC.py
messages: 310367
nosy: r.david.murray, thedoctorsoup
priority: normal
severity: normal
status: open
title: Email Header Injection Protection Bypass
type: security
Added file: https://bugs.python.org/file47396/PythonEmailHeaderInjectionPOC.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32606] Email Header Injection Protection Bypass

[issue32606] Email Header Injection Protection Bypass

[issue32606] Email Header Injection Protection Bypass

[issue32606] Email Header Injection Protection Bypass

[issue32606] Email Header Injection Protection Bypass

5 matches

Site Navigation

Mail list logo

Footer information