Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.12] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) #122599

Merged
merged 2 commits into from
Aug 6, 2024
Merged

[3.12] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) #122599

merged 2 commits into from
Aug 6, 2024

Conversation

encukou
Copy link
Member

@encukou encukou commented Aug 2, 2024
edited by github-actions bot
Loading

  • Encode header parts that contain newlines

Per RFC 2047:

[...] these encoding schemes allow the
encoding of arbitrary octet values, mail readers that implement this
decoding should also ensure that display of the decoded data on the
recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

  • Verify that email headers are well-formed

This should fail for custom fold() implementations that aren't careful
about newlines.

Co-authored-by: Bas Bloemsaat [email protected]
Co-authored-by: Serhiy Storchaka [email protected]
(cherry picked from commit 0976339)

📚 Documentation preview 📚: https://cpython-previews--122599.org.readthedocs.build/

@encukou
pythongh-121650: Encode newlines in headers, and verify headers are s…
e58aec9 
…ound (pythonGH-122233)

- Encode header parts that contain newlines

Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

- Verify that email headers are well-formed

This should fail for custom fold() implementations that aren't careful
about newlines.

Co-authored-by: Bas Bloemsaat <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
(cherry picked from commit 0976339)
@encukou
Document changes as made in 3.12.5
7e3b041
@encukou encukou requested a review from a team as a code owner August 2, 2024 09:30
This was referenced Aug 2, 2024
Closed
Merged
@encukou
Copy link
Member Author

encukou commented Aug 3, 2024

Marking this for consideration as a release blocker.
IMO, this should go into 3.12.5. Ideally it would be merged after the 3.13 backport, which requires review.

@Yhg1s Yhg1s merged commit 4766d12 into python:3.12 Aug 6, 2024
31 checks passed
@encukou encukou deleted the backport-0976339-3.12 branch August 7, 2024 12:00
@smoser smoser mentioned this pull request Aug 8, 2024
Merged
smoser added a commit to smoser/advisories that referenced this pull request Aug 8, 2024
@smoser
python-3.12 - Mark CVE-2024-6923 as fixed in 3.12.5
d461185 
The fix for this issue was included in upstream release of 3.12.5.
python/cpython#122599
github-merge-queue bot pushed a commit to wolfi-dev/advisories that referenced this pull request Aug 8, 2024
@smoser
python-3.12 - Mark CVE-2024-6923 as fixed in 3.12.5 (#7191)
ec287d5 
The fix for this issue was included in upstream release of 3.12.5.
python/cpython#122599
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
release-blocker
Projects
Release and Deferred blockers 🚫
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@encukou @Yhg1s