Skip to content

/cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpo-39040: Fix parsing of email headers with whitespace between encoded-words. #17620

Open
wants to merge 1 commit into
base: master
from
Open

bpo-39040: Fix parsing of email headers with whitespace between encoded-words. #17620

wants to merge 1 commit into from
+23 −0

Conversation

@maxking
Copy link
Contributor

maxking commented Dec 16, 2019
edited by bedevere-bot

In certain malformed content-disposition headers, parameter values are quoted
and split as encoded words on two lines with extra whitespaces. This fixes the
issue by removing the extra whitespace between the two encoded words.

https://bugs.python.org/issue39040
@maxking
bpo-39040: Fix parsing of email headers with whitespace between encod…
Verified
This commit was signed with a verified signature.
maxking Abhilash Raj
GPG key ID: 9D9B2BA061D0A67C Learn about signing commits
Loading status checks…
9da6ddf 
…ed-words.

In certain malformed content-disposition headers, parameter values are quoted
and split as encoded words on two lines with extra whitespaces. This fixes the
issue by removing the extra whitespace between the two encoded words.
@maxking maxking requested a review from python/email-team as a code owner Dec 16, 2019
@bitdancer
bitdancer reviewed Dec 16, 2019
View changes
Lib/email/_header_value_parser.py
except errors.HeaderParseError:
token, value = get_qcontent(value)

This comment has been minimized.

Sign in to view
Copy link
@bitdancer

bitdancer Dec 16, 2019

Member

I'd prefer to not have a blank line here.
@bitdancer
bitdancer reviewed Dec 16, 2019
View changes
Lib/email/_header_value_parser.py
if valid_ew and len(bare_quoted_string) > 1:
if (bare_quoted_string[-1].token_type == 'fws' and
bare_quoted_string[-2].token_type == 'encoded-word'):

This comment has been minimized.

Sign in to view
Copy link
@bitdancer

bitdancer Dec 16, 2019

Member

Or here.
@bitdancer
bitdancer reviewed Dec 16, 2019
View changes
Lib/test/test_email/test_headerregistry.py
@@ -873,6 +873,16 @@ def content_disp_as_value(self,
{'filename': 'foo'},
[errors.InvalidHeaderDefect]),

'invalid_value_with_fws_bw_ew': (

This comment has been minimized.

Sign in to view
Copy link
@bitdancer

bitdancer Dec 16, 2019

Member

'value' in the preceding test names is the value of the header. The thing being tested here is the value of the parameter. Confusing, I know :) Also, I suggest spelling out bw, which at least to my eyes isn't obvious: invalid_parameter_value_with_fws_between_ew".

Also, I suggest adding a test with an EW in the middle of regular tokens, to make sure white space that is not between EWs is handled correctly. Your code should, but we want to guard against future breakage.
@bitdancer
bitdancer reviewed Dec 16, 2019
View changes
Misc/NEWS.d/next/Library/2019-12-15-18-47-20.bpo-39040.tKa0Qs.rst
@@ -0,0 +1,2 @@
Fix parsing of invalid Content-Disposition email headers by collapsing
whitespace between encoded words in a bare-quote-string.

This comment has been minimized.

Sign in to view
Copy link
@bitdancer

bitdancer Dec 16, 2019

Member

This isn't specific to the content-disposition header, it applies to any mime header, since in theory any mime header can have paramaters. So, 'Fix parsing of invalid mime header parameters by...'.
@bitdancer
bitdancer requested changes Dec 16, 2019
View changes
Copy link
Member

bitdancer left a comment

Oops, I forgot to start a review :(
@bedevere-bot

This comment has been minimized.

Sign in to view
Copy link

bedevere-bot commented Dec 16, 2019

When you're done making the requested changes, leave the comment: I have made the requested changes; please review again.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bitdancer bitdancer

Assignees
No one assigned
Labels
CLA signed awaiting changes needs backport to 3.7 needs backport to 3.8 type-bugfix
Projects
None yet
Milestone
No milestone
4 participants
@maxking @bedevere-bot @bitdancer @the-knights-who-say-ni
You can’t perform that action at this time.