Skip to content

Fix bpo-36041: fix folding of quoted string in display_name violates RFC #12054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Fix bpo-36041: fix folding of quoted string in display_name violates RFC #12054

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
870a86b
Create test illustrating bug 36041
Feb 26, 2019
686a713
Fix email bug 36041: don't unescape bare quoted strings during refold
Feb 26, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions Lib/email/_header_value_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2661,6 +2661,24 @@ def _refold_parse_tree(parse_tree, *, policy):
if newline or part.startswith_fws():
lines.append(newline + tstr)
continue
# Do not strip the quotes from BareQuotedString's by iterating over the
# children. Doing so might break a structured header and this function
# is context unaware. Instead prepare quoted children.
if isinstance(part, BareQuotedString):
subparts = list(part)
quoted_subparts = []
dquote = ValueTerminal('"', 'ptext')
quoted_subparts.append(dquote)
for subpart in subparts:
quoted_without_quotes = quote_string(subpart)[1:-1]
quoted_terminal = ValueTerminal(quoted_without_quotes, 'ptext')
quoted_subparts.append(quoted_terminal)
quoted_subparts.append(dquote)
if not part.as_ew_allowed:
wrap_as_ew_blocked += 1
quoted_subparts.append(end_ew_not_allowed)
parts = quoted_subparts + parts
continue
if not hasattr(part, 'encode'):
# It's not a terminal, try folding the subparts.
newparts = list(part)
Expand Down
20 changes: 20 additions & 0 deletions Lib/test/test_email/test__header_value_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2770,5 +2770,25 @@ def test_long_filename_attachment(self):
" filename*1*=_TEST_TES.txt\n",
)

def test_long_display_name(self):
display_name = (
# An address as first part of display name is a security issue.
'[email protected]'
+ ' '
# This triggers the BareQuotedString folding recursion.
+ 'a'*self.policy.max_line_length
# These two quoted-pairs become the unescaped " \ outside.
+ ' '
+ '\\" \\\\'
)
addr_spec = '[email protected]'
address = '"' + display_name + '" <' + addr_spec + '>\n'
self._test(parser.get_address(address)[0],
'"[email protected]\n'
' ' + 'a'*self.policy.max_line_length + '\n'
' \\" \\\\" <[email protected]>\n',
)


if __name__ == '__main__':
unittest.main()