Skip to content

gh-127794: Validate header name according to rfc-5322 #127820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 82 commits into from
Mar 30, 2025
Merged

gh-127794: Validate header name according to rfc-5322 #127820

Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
901a91c
gh-127794: Validate header name according rfc-5322 and allow only pri…
srinivasreddy Dec 11, 2024
5be0eaa
Add test case
srinivasreddy Dec 11, 2024
6ae6273
Add some more tests
srinivasreddy Dec 11, 2024
a7d1c0c
Fix indentation
srinivasreddy Dec 11, 2024
d04c9a2
Add news entry
srinivasreddy Dec 11, 2024
bcab963
Merge branch 'main' into gh-127794
srinivasreddy Dec 11, 2024
53bdb4f
gh-127794: Create a separate function for validating header
srinivasreddy Dec 13, 2024
31e4f3e
gh-127794: Coverge all the validations into a single regex
srinivasreddy Dec 13, 2024
fae3664
gh-127794: Revert the changes
srinivasreddy Dec 13, 2024
026f35b
gh-127794: Remove one variable
srinivasreddy Dec 13, 2024
8f6f6c3
gh-127794: Update tests
srinivasreddy Dec 13, 2024
ce18c9b
Address review comments
srinivasreddy Dec 17, 2024
aaa8879
Address review comments
srinivasreddy Dec 17, 2024
fb73967
Merge branch 'main' into gh-127794
srinivasreddy Dec 17, 2024
1de4e4c
Merge branch 'main' into gh-127794
srinivasreddy Dec 17, 2024
b29f1aa
Merge branch 'main' into gh-127794
srinivasreddy Dec 17, 2024
075a44a
Add some more tests
srinivasreddy Dec 17, 2024
d1b07c5
Fix the function name
srinivasreddy Dec 17, 2024
8129d13
Add test case for invalid_header_names
srinivasreddy Dec 17, 2024
5e371cc
Update tests
srinivasreddy Dec 17, 2024
84d2aec
Remove redundant regular expression
srinivasreddy Dec 18, 2024
ebd47a4
Update the regex per review comments
srinivasreddy Dec 18, 2024
541f59b
Update test cases
srinivasreddy Dec 18, 2024
3ac53da
Improve blurb message
srinivasreddy Dec 18, 2024
4882f44
Fix failing test
srinivasreddy Dec 18, 2024
9726c21
Update parameter name
srinivasreddy Dec 18, 2024
d6549a0
Merge branch 'main' into gh-127794
srinivasreddy Dec 18, 2024
44985a4
Update Misc/NEWS.d/next/Library/2024-12-11-17-44-36.gh-issue-127794.V…
srinivasreddy Dec 23, 2024
c83b6bf
gh-115999: Enable BINARY_SUBSCR_GETITEM for free-threaded build (gh-1…
corona10 Dec 19, 2024
d0256e6
gh-128069: brew link --overwrite tcl-tk@8 to prevent conflict with Gi…
vstinner Dec 19, 2024
6f3f0d4
gh-128013: fix data race in `PyUnicode_AsUTF8AndSize` on free-threadi…
kumaraditya303 Dec 19, 2024
efdc31f
gh-122706: fix docs for asyncio ssl sockets (#128092)
kumaraditya303 Dec 19, 2024
dd5fcc0
gh-127688: Add `SCHED_DEADLINE` and `SCHED_NORMAL` constants to `os` …
rruuaanng Dec 19, 2024
2fade09
gh-128083: Fix macro redefinition warning in clinic. (GH-127950)
ZeroIntensity Dec 19, 2024
e521e71
gh-127951: Add build option to enable pystats on Windows (GH-127952)
eendebakpt Dec 19, 2024
6853c1c
gh-128008: Add `PyWeakref_IsDead()` (GH-128009)
colesbury Dec 19, 2024
07eb113
GH-122548: Implement branch taken and not taken events for sys.monito…
markshannon Dec 19, 2024
6e55b1b
gh-115999: Specialize `STORE_ATTR` in free-threaded builds. (gh-127838)
nascheme Dec 19, 2024
d28ddba
gh-128062: Fix the font size and shortcut display of the turtledemo m…
Xiaokang2022 Dec 19, 2024
08c1491
gh-127274: Defer nested methods (#128012)
mpage Dec 19, 2024
356306e
gh-128080: remove unnecessary `__init__` method from Enum (GH-128081)
tungol Dec 19, 2024
9c87b55
gh-112328: Document EnumDict in docs and release notes (GH-121720)
u2rafi Dec 19, 2024
9afb5d8
gh-128058: Fix test_builtin ImmortalTests (#128068)
vstinner Dec 20, 2024
a548261
gh-128030: Avoid error from PyModule_GetFilenameObject for non-module…
hauntsaninja Dec 20, 2024
35fd9ed
GH-122548: Correct magic number comment (GH-128115)
markshannon Dec 20, 2024
77175aa
gh-109959: Log the current directory in test_glob.test_selflink() (#1…
vstinner Dec 20, 2024
e803dea
gh-128116: Skip test_socket VSOCK testStream() on PermissionError (#1…
vstinner Dec 20, 2024
952fc1f
gh-127946: Use a critical section for `CFuncPtr` attributes (GH-128109)
ZeroIntensity Dec 20, 2024
6ef3119
gh-127295: ctypes: Switch field accessors to fixed-width integers (GH…
encukou Dec 20, 2024
4aa1b13
GH-127705: Add debug mode for `_PyStackRef`s inspired by HPy debug mo…
markshannon Dec 20, 2024
867ddb4
Python Tutorial typo fix (#128077)
shallow-beach Dec 20, 2024
349b5ec
gh-128049: Fix type confusion bug with the return value of a custom E…
Nico-Posada Dec 20, 2024
8d4f62d
gh-112328: Make EnumDict usable on its own and document it (GH-123669)
encukou Dec 20, 2024
37e6e64
GH-127807: pathlib ABCs: remove `PurePathBase._raw_paths` (#127883)
barneygale Dec 22, 2024
3e44493
GH-127807: pathlib ABCs: remove a few private attributes (#127851)
barneygale Dec 22, 2024
6aba8e0
GH-127807: pathlib ABCs: move private copying methods to dedicated cl…
barneygale Dec 22, 2024
405782e
gh-126664: revert: Use `else` instead of `finally` in docs explaining…
gpshead Dec 22, 2024
2ad5c8f
gh-127949: fix resource warnings in `test_tasks.py` (#128172)
graingert Dec 22, 2024
6331c05
gh-119786: Fix typos in `InternalDocs/interpreter.md` (#128174)
WolframAlph Dec 22, 2024
a813023
gh-100384: Error on `unguarded-availability` in macOS builds (#128155)
zanieb Dec 22, 2024
b7bfacb
gh-126180: Remove getopt and optparse deprecation notices (GH-126227)
ncoghlan Dec 23, 2024
3ce49be
Address review comments
srinivasreddy Dec 23, 2024
7038404
Merge branch 'main' into gh-127794
srinivasreddy Dec 23, 2024
32dc6c8
Update test case
srinivasreddy Dec 23, 2024
151e146
Fix test failures
srinivasreddy Dec 23, 2024
810f9cb
Update Lib/test/test_email/test_email.py
srinivasreddy Dec 31, 2024
079dda7
Address review comments
srinivasreddy Dec 31, 2024
f69394e
Merge branch 'main' into gh-127794
srinivasreddy Dec 31, 2024
e45165f
Order imports as per case sensitive alphabetical order
srinivasreddy Jan 2, 2025
8233e92
Remove the extraneous line
srinivasreddy Jan 2, 2025
2550011
Move the validate_header_name up
srinivasreddy Jan 2, 2025
31edff1
Merge branch 'main' into gh-127794
srinivasreddy Jan 2, 2025
56a77e9
Add RFC section
srinivasreddy Jan 2, 2025
f2bbb92
Update Misc/NEWS.d/next/Library/2024-12-11-17-44-36.gh-issue-127794.V…
srinivasreddy Jan 6, 2025
98e5920
Merge branch 'main' into gh-127794
srinivasreddy Jan 8, 2025
9dfe0f1
Merge branch 'main' into gh-127794
srinivasreddy Feb 19, 2025
cf1f908
Merge branch 'main' into gh-127794
srinivasreddy Mar 5, 2025
d5c538f
Address review comments
srinivasreddy Mar 5, 2025
bf72d24
Merge branch 'main' into gh-127794
bitdancer Mar 29, 2025
590c1ac
fixup typo
picnixz Mar 30, 2025
958bcf3
fixup rst
picnixz Mar 30, 2025
5f9d4a1
Update Misc/NEWS.d/next/Library/2024-12-11-17-44-36.gh-issue-127794.V…
picnixz Mar 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions Lib/email/_policybase.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
"""

import abc
import re
from email import header
from email import charset as _charset
from email.utils import _has_surrogates
Expand All @@ -14,6 +15,12 @@
'compat32',
]

valid_header_name_re = re.compile("[\041-\071\073-\176]+$")

def validate_header_name(name):
# Validate header name according to RFC 5322
if not valid_header_name_re.match(name):
raise ValueError(f"Header field name contains invalid characters: {name!r}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrap <80, please


class _PolicyBase:

Expand Down Expand Up @@ -314,6 +321,7 @@ def header_store_parse(self, name, value):
"""+
The name and value are returned unmodified.
"""
validate_header_name(name)
return (name, value)

def header_fetch_parse(self, name, value):
Expand Down
9 changes: 8 additions & 1 deletion Lib/email/policy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,13 @@

import re
import sys
from email._policybase import Policy, Compat32, compat32, _extend_docstrings
from email._policybase import (
_extend_docstrings,
Compat32,
compat32,
Policy,
validate_header_name
)
from email.utils import _has_surrogates
from email.headerregistry import HeaderRegistry as HeaderRegistry
from email.contentmanager import raw_data_manager
Expand Down Expand Up @@ -140,6 +146,7 @@ def header_store_parse(self, name, value):
"""
if hasattr(value, 'name') and value.name.lower() == name.lower():
return (name, value)
validate_header_name(name)
if isinstance(value, str) and len(value.splitlines())>1:
# XXX this error message isn't quite right when we use splitlines
# (see issue 22233), but I'm not sure what should happen here.
Expand Down
27 changes: 27 additions & 0 deletions Lib/test/test_email/test_email.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -728,6 +728,33 @@ def test_nonascii_add_header_with_tspecial(self):
"attachment; filename*=utf-8''Fu%C3%9Fballer%20%5Bfilename%5D.ppt",
msg['Content-Disposition'])

def test_invalid_header_names(self):
invalid_headers = [
('Invalid Header', 'contains space'),
('Tab\tHeader', 'contains tab'),
('Colon:Header', 'contains colon'),
('', 'Empty name'),
(' LeadingSpace', 'starts with space'),
('TrailingSpace ', 'ends with space'),
('Header\x7F', 'Non-ASCII character'),
('Header\x80', 'Extended ASCII'),
]
for thispolicy in (email.policy.default, email.policy.compat32):
for method in ('__setitem__', 'add_header'):
for name, value in invalid_headers:
with self.subTest(
name=name,
description=value,
policy=thispolicy.__class__.__name__,
method=method,
):
with self.assertRaises(ValueError) as cm:
getattr(Message(policy=thispolicy), method)(name, value)
msg = str(cm.exception)
self.assertRegex(msg,'(?i)(?=.*invalid)(?=.*header)(?=.*name)')
self.assertIn(f"{name!r}", msg)


def test_binary_quopri_payload(self):
for charset in ('latin-1', 'ascii'):
msg = Message()
Expand Down
26 changes: 26 additions & 0 deletions Lib/test/test_email/test_message.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1004,6 +1004,32 @@ def test_folding_with_long_nospace_http_policy_1(self):
parsed_msg = message_from_bytes(m.as_bytes(), policy=policy.default)
self.assertEqual(parsed_msg['Message-ID'], m['Message-ID'])

def test_invalid_header_names(self):
invalid_headers = [
('Invalid Header', 'contains space'),
('Tab\tHeader', 'contains tab'),
('Colon:Header', 'contains colon'),
('', 'Empty name'),
(' LeadingSpace', 'starts with space'),
('TrailingSpace ', 'ends with space'),
('Header\x7F', 'Non-ASCII character'),
('Header\x80', 'Extended ASCII'),
]
for thispolicy in (policy.default, policy.compat32):
for method in ('__setitem__', 'add_header'):
for name, value in invalid_headers:
with self.subTest(
name=name,
description=value,
policy=thispolicy.__class__.__name__,
method=method,
):
with self.assertRaises(ValueError) as cm:
getattr(EmailMessage(policy=thispolicy), method)(name, value)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please wrap <80

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition, avoid having multiple calls within the assertRaises (you can also use assertRaisesRegex). For instance:

message = EmailMessage(policy=thispolicy)
method = getattr(message, method)
pattern = re.escape(...)
with self.assertRaisesRegex(ValueError, pattern) as cm:
	method(name, value)
self.assertIn(repr(name), str(cm.exception))

msg = str(cm.exception)
self.assertRegex( msg, '(?i)(?=.*invalid)(?=.*header)(?=.*name)')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please wrap <80

self.assertIn(f"{name!r}", msg)

def test_get_body_malformed(self):
"""test for bpo-42892"""
msg = textwrap.dedent("""\
Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Library/2024-12-11-17-44-36.gh-issue-127794.VwmRsp.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
The :meth:`email.message.Message.add_header` method now validates header
field names according to :rfc:`5322` when headers are added via add_header
or __setitem__ and raises a ValueError if they contain invalid characters.
Loading