[issue43124] [security] smtplib multiple CRLF injection

2021-08-30 Thread Ned Deily 


Ned Deily  added the comment:


New changeset 29d97d17fb7adab3b0df9e178b73f70292d1cf64 by Miss Islington (bot) 
in branch '3.6':
[3.6] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28038)
https://github.com/python/cpython/commit/29d97d17fb7adab3b0df9e178b73f70292d1cf64


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-30 Thread Ned Deily 


Ned Deily  added the comment:


New changeset d2cc04cd3024869101e894f73307944d98d187c8 by Miss Islington (bot) 
in branch '3.7':
[3.7] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28037)
https://github.com/python/cpython/commit/d2cc04cd3024869101e894f73307944d98d187c8


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread Łukasz Langa 

Łukasz Langa  added the comment:

Thanks, Martin! ✨  ✨

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset b93aea4c7e4553950daa5d47c3ef2dc8a9c4edff by Miss Islington (bot) 
in branch '3.8':
[3.8] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28036)
https://github.com/python/cpython/commit/b93aea4c7e4553950daa5d47c3ef2dc8a9c4edff


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 24416e419194f11b639146c0d8bed9df315aca5a by Miss Islington (bot) 
in branch '3.9':
bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28035)
https://github.com/python/cpython/commit/24416e419194f11b639146c0d8bed9df315aca5a


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread miss-islington 


miss-islington  added the comment:


New changeset 9e6c317ab133cd8fa48d5ecd8568314ef2e98634 by Miss Islington (bot) 
in branch '3.10':
bpo-43124: Fix smtplib multiple CRLF injection (GH-25987)
https://github.com/python/cpython/commit/9e6c317ab133cd8fa48d5ecd8568314ef2e98634


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +26482
pull_request: https://github.com/python/cpython/pull/28037

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +26483
pull_request: https://github.com/python/cpython/pull/28038

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread miss-islington 


Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 7.0 -> 8.0
pull_requests: +26479
pull_request: https://github.com/python/cpython/pull/28034

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +26481
pull_request: https://github.com/python/cpython/pull/28036

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 0897253f426068ea6a6fbe0ada01689af9ef1019 by Miguel Brito in 
branch 'main':
bpo-43124: Fix smtplib multiple CRLF injection (GH-25987)
https://github.com/python/cpython/commit/0897253f426068ea6a6fbe0ada01689af9ef1019


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-08-29 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +26480
pull_request: https://github.com/python/cpython/pull/28035

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-07-19 Thread R. David Murray 


R. David Murray  added the comment:

My apologies, I did not think about the possibility of an English issue.  I was 
reacting to the "security report speak", which I find often makes a security 
issue sound worse than it is :)  Thank you for reporting this problem, and I do 
think we should fix it.

My posting was directed at the severity of the issue, since it was potentially 
holding up a release.  My point about the example is that without an example of 
code that could reasonably be expected to use user input in a call that could 
inject newlines, we can treat this as a low priority issue.  If we had a 
proposed example of such code, then the priority would be higher.  If it was an 
example of such code "in the wild", then it would be quite high :)

The reason I'm saying we should have an example in order to consider it higher 
priority is that I cannot see *any* likelihood that this would be a problem in 
practice.  Let me explain.

putcmd is an *internal* interface.  If we look at the commands that call putcmd 
or docmd, the only ones that pass extra data that aren't pretty obviously safe 
(ie: not clearly sanitized data) are rcpt and mail[*].  In both cases the item 
of concern is optionslist.  optionslist is a list of *SMTP server options*.  
This is not data that is reasonably taken from user input, it is data provided 
*by the programmer*.

[*] I did double check to make sure that email.utils.parseaddr sanitizes both 
\r and \r, just to be sure :)

Therefore this is *not* a significant security issue.  But as I said, we should 
take the "defense in depth" approach and apply the check in putcmd as you 
recommend.  I just don't think it needs to hold up a release.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-07-13 Thread Martin Ortner 


Martin Ortner  added the comment:

> This bug report starts with "a malicious user with direct access to 
> `smtplib.SMTP(..., local_hostname, ..)", which is a senseless supposition.  
> Anyone with "access to" the SMTP object could just as well be talking 
> directly to the SMTP server and do anything they want that SMTP itself allows.

Let's not argue about the phrasing and settle on the fact that I am not a 
native English speaker which might be the root cause of the confusion. The core 
of the issue is that this *unexpected side-effect* may be security-relevant. 
Fixing it probably takes less time than arguing about phrasing, severity, or 
spending time describing exploitation scenarios for a general-purpose library 
that should protect the underlying protocol from injections. 


Be kind, I come in peace.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-07-13 Thread R. David Murray 


R. David Murray  added the comment:

s/header injection/command injection/

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-07-13 Thread R. David Murray 


R. David Murray  added the comment:

This bug report starts with "a malicious user with direct access to 
`smtplib.SMTP(..., local_hostname, ..)", which is a senseless supposition.  
Anyone with "access to" the SMTP object could just as well be talking directly 
to the SMTP server and do anything they want that SMTP itself allows.

The concern here is that data a program might obtain *from unsanitized user 
input* could be used to do header injection.  The "proof of concept" does not 
address this at all.  We'd need to see a scenario under which data that could 
reasonably be derived from user input ends up being passed as arguments to an 
smtplib method that calls putcmd with arguments.

So, I would rate this as *very* low impact issue, unless someone has an *actual 
example* of code using smtplib that passes user input through to smtplib 
commands in an exploitable way.

That said, it is perfectly reasonable to be proactive here and prevent 
scenarios we haven't yet thought of, by doing as recommended (and a bit more) 
by raising a ValueError if 'args' in the putcmd call contain either \n or \r 
characters.  I don't think we need to check 'cmd', because I can't see any 
scenario in which the SMTP command would be derived from user input.  If you 
want to be *really* paranoid you could check cmd too, and since it will always 
be a short string the additional performance impact will be minor.

--
type: performance -> security
versions: +Python 3.10, Python 3.11, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-07-10 Thread Alireza Pourali 


Change by Alireza Pourali :


--
components:  -email
type: security -> performance
versions:  -Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-05-21 Thread Ned Deily 


Ned Deily  added the comment:

Thanks for the PR!  Can someone from the email team take a look at it, please?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-05-08 Thread Miguel Brito 


Change by Miguel Brito :


--
keywords: +patch
pull_requests: +24639
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/25987

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-05-07 Thread Ned Deily 


Ned Deily  added the comment:

There is no sign of anyone currently working on it, so please feel free to dig 
in!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-05-07 Thread Miguel Brito 


Miguel Brito  added the comment:

If there's no one working on it I'd be happy to prepare a fix.

--
nosy: +miguendes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-05-07 Thread Ned Deily 


Ned Deily  added the comment:

Still in "deferred blocker" status awaiting a PR from someone

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-04-02 Thread Łukasz Langa 

Łukasz Langa  added the comment:

Deferred the blocker to a regular release due to lack of activity in time for 
the current expedited releases.

--
priority: release blocker -> deferred blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-03-31 Thread Christian Heimes 


Change by Christian Heimes :


--
nosy: +christian.heimes, lukasz.langa, ned.deily
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43124] [security] smtplib multiple CRLF injection

2021-02-04 Thread STINNER Victor 


Change by STINNER Victor :


--
title: smtplib multiple CRLF injection -> [security] smtplib multiple CRLF 
injection

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com