Skip to content

Fix bpo-36041: fix folding of quoted string in display_name violates RFC #12054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ghost wants to merge 2 commits into from
Closed

Fix bpo-36041: fix folding of quoted string in display_name violates RFC #12054

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
870a86b
Create test illustrating bug 36041
Feb 26, 2019
686a713
Fix email bug 36041: don't unescape bare quoted strings during refold
Feb 26, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Create test illustrating bug 36041 
For display names that are longer than the policy's maximum line length,
the folding process removes the quotes from the display name which
may violate the structure of an address header if the content of the
display name is specifically formed.
  • Loading branch information
Aaryn Tonita committed Feb 26, 2019
commit 870a86b6dc5b19d55cf0cc6429aca72d00ee0f9d
20 changes: 20 additions & 0 deletions Lib/test/test_email/test__header_value_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2770,5 +2770,25 @@ def test_long_filename_attachment(self):
" filename*1*=_TEST_TES.txt\n",
)

def test_long_display_name(self):
display_name = (
# An address as first part of display name is a security issue.
'spoofed@example.com'
+ ' '
# This triggers the BareQuotedString folding recursion.
+ 'a'*self.policy.max_line_length
# These two quoted-pairs become the unescaped " \ outside.
+ ' '
+ '\\" \\\\'
)
addr_spec = 'actual.sender@example.com'
address = '"' + display_name + '" <' + addr_spec + '>\n'
self._test(parser.get_address(address)[0],
'"spoofed@example.com\n'
' ' + 'a'*self.policy.max_line_length + '\n'
' \\" \\\\" <actual.sender@example.com>\n',
)


if __name__ == '__main__':
unittest.main()