LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16456 Commits
1 Branch
46 MiB
 
 
 
 
 
 
Tree: 19b07c6642
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '19b07c6642'
${ noResults }
openwrt-packages-dist/lang/python/python3/patches/026-3.7-bpo-37764-Fix-infin...

167 lines
6.6 KiB
Raw Blame History

From ea21389dda401457198fb214aa2c981a45ed9528 Mon Sep 17 00:00:00 2001
From: Ashwin Ramaswami <aramaswamis@gmail.com>
Date: Tue, 3 Sep 2019 09:42:53 -0700
Subject: [PATCH] [3.7] bpo-37764: Fix infinite loop when parsing unstructured
email headers. (GH-15239) (GH-15654)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
…aders. (GH-15239)
Fixes a case in which email._header_value_parser.get_unstructured hangs the system for some invalid headers. This covers the cases in which the header contains either:
- a case without trailing whitespace
- an invalid encoded word
https://bugs.python.org/issue37764
This fix should also be backported to 3.7 and 3.8
https://bugs.python.org/issue37764
(cherry picked from commit c5b242f87f31286ad38991bc3868cf4cfbf2b681)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
https://bugs.python.org/issue37764
---
Lib/email/_header_value_parser.py | 19 ++++++++++++++---
.../test_email/test__header_value_parser.py | 16 ++++++++++++++
Lib/test/test_email/test_email.py | 21 +++++++++++++++++++
Misc/ACKS | 1 +
.../2019-08-27-01-13-05.bpo-37764.qv67PQ.rst | 1 +
5 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2019-08-27-01-13-05.bpo-37764.qv67PQ.rst
--- a/Lib/email/_header_value_parser.py
+++ b/Lib/email/_header_value_parser.py
@@ -931,6 +931,10 @@ class EWWhiteSpaceTerminal(WhiteSpaceTer
return ''
+class _InvalidEwError(errors.HeaderParseError):
+ """Invalid encoded word found while parsing headers."""
+
+
# XXX these need to become classes and used as instances so
# that a program can't change them in a parse tree and screw
# up other parse trees. Maybe should have tests for that, too.
@@ -1035,7 +1039,10 @@ def get_encoded_word(value):
raise errors.HeaderParseError(
"expected encoded word but found {}".format(value))
remstr = ''.join(remainder)
- if len(remstr) > 1 and remstr[0] in hexdigits and remstr[1] in hexdigits:
+ if (len(remstr) > 1 and
+ remstr[0] in hexdigits and
+ remstr[1] in hexdigits and
+ tok.count('?') < 2):
# The ? after the CTE was followed by an encoded word escape (=XX).
rest, *remainder = remstr.split('?=', 1)
tok = tok + '?=' + rest
@@ -1047,7 +1054,7 @@ def get_encoded_word(value):
try:
text, charset, lang, defects = _ew.decode('=?' + tok + '?=')
except ValueError:
- raise errors.HeaderParseError(
+ raise _InvalidEwError(
"encoded word format invalid: '{}'".format(ew.cte))
ew.charset = charset
ew.lang = lang
@@ -1097,9 +1104,12 @@ def get_unstructured(value):
token, value = get_fws(value)
unstructured.append(token)
continue
+ valid_ew = True
if value.startswith('=?'):
try:
token, value = get_encoded_word(value)
+ except _InvalidEwError:
+ valid_ew = False
except errors.HeaderParseError:
# XXX: Need to figure out how to register defects when
# appropriate here.
@@ -1121,7 +1131,10 @@ def get_unstructured(value):
# Split in the middle of an atom if there is a rfc2047 encoded word
# which does not have WSP on both sides. The defect will be registered
# the next time through the loop.
- if rfc2047_matcher.search(tok):
+ # This needs to only be performed when the encoded word is valid;
+ # otherwise, performing it on an invalid encoded word can cause
+ # the parser to go in an infinite loop.
+ if valid_ew and rfc2047_matcher.search(tok):
tok, *remainder = value.partition('=?')
vtext = ValueTerminal(tok, 'vtext')
_validate_xtext(vtext)
--- a/Lib/test/test_email/test__header_value_parser.py
+++ b/Lib/test/test_email/test__header_value_parser.py
@@ -383,6 +383,22 @@ class TestParser(TestParserMixin, TestEm
[errors.InvalidHeaderDefect],
'')
+ def test_get_unstructured_without_trailing_whitespace_hang_case(self):
+ self._test_get_x(self._get_unst,
+ '=?utf-8?q?somevalue?=aa',
+ 'somevalueaa',
+ 'somevalueaa',
+ [errors.InvalidHeaderDefect],
+ '')
+
+ def test_get_unstructured_invalid_ew(self):
+ self._test_get_x(self._get_unst,
+ '=?utf-8?q?=somevalue?=',
+ '=?utf-8?q?=somevalue?=',
+ '=?utf-8?q?=somevalue?=',
+ [],
+ '')
+
# get_qp_ctext
def test_get_qp_ctext_only(self):
--- a/Lib/test/test_email/test_email.py
+++ b/Lib/test/test_email/test_email.py
@@ -5367,6 +5367,27 @@ Content-Type: application/x-foo;
eq(language, 'en-us')
eq(s, 'My Document For You')
+ def test_should_not_hang_on_invalid_ew_messages(self):
+ messages = ["""From: user@host.com
+To: user@host.com
+Bad-Header:
+ =?us-ascii?Q?LCSwrV11+IB0rSbSker+M9vWR7wEDSuGqmHD89Gt=ea0nJFSaiz4vX3XMJPT4vrE?=
+ =?us-ascii?Q?xGUZeOnp0o22pLBB7CYLH74Js=wOlK6Tfru2U47qR?=
+ =?us-ascii?Q?72OfyEY2p2=2FrA9xNFyvH+fBTCmazxwzF8nGkK6D?=
+
+Hello!
+""", """From: ����� �������� <xxx@xxx>
+To: "xxx" <xxx@xxx>
+Subject: ��� ���������� ����� ����� � ��������� �� ����
+MIME-Version: 1.0
+Content-Type: text/plain; charset="windows-1251";
+Content-Transfer-Encoding: 8bit
+
+�� ����� � ���� ������ ��� ��������
+"""]
+ for m in messages:
+ with self.subTest(m=m):
+ msg = email.message_from_string(m)
# Tests to ensure that signed parts of an email are completely preserved, as
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1305,6 +1305,7 @@ Burton Radons
Abhilash Raj
Shorya Raj
Dhushyanth Ramasamy
+Ashwin Ramaswami
Jeff Ramnani
Bayard Randel
Varpu Rantala
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-08-27-01-13-05.bpo-37764.qv67PQ.rst
@@ -0,0 +1 @@
+Fixes email._header_value_parser.get_unstructured going into an infinite loop for a specific case in which the email header does not have trailing whitespace, and the case in which it contains an invalid encoded word. Patch by Ashwin Ramaswami.
\ No newline at end of file