Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[3.11] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) #122608

Merged
merged 1 commit into from
Sep 4, 2024
Merged

[3.11] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) #122608

merged 1 commit into from
Sep 4, 2024

Conversation

ambv
Copy link
Contributor

@ambv ambv commented Aug 2, 2024
edited by github-actions bot
Loading

Per RFC 2047:

[...] these encoding schemes allow the
encoding of arbitrary octet values, mail readers that implement this
decoding should also ensure that display of the decoded data on the
recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

GH-GH- Verify that email headers are well-formed

This should fail for custom fold() implementations that aren't careful about newlines.

(cherry picked from commit 0976339)

📚 Documentation preview 📚: https://cpython-previews--122608.org.readthedocs.build/

@encukou @basbloemsaat
@serhiy-storchaka @ambv
[3.11] pythongh-121650: Encode newlines in headers, and verify header…
f9ddc53 
…s are sound (pythonGH-122233)

GH-GH- Encode header parts that contain newlines

Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

GH-GH- Verify that email headers are well-formed

This should fail for custom fold() implementations that aren't careful
about newlines.

(cherry picked from commit 0976339)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@ambv ambv requested a review from a team as a code owner August 2, 2024 12:56
This was referenced Aug 2, 2024
Closed
Merged
vstinner
vstinner approved these changes Sep 2, 2024
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM: straightforward backport and the change is properly documented as .. versionadded:: 3.11.10 with "Notable changes in 3.11.10" in What's New in Python 3.11. I compared this 3.11 change to the change in the main branch.

@ambv ambv merged commit f7c0f09 into python:3.11 Sep 4, 2024
26 checks passed
@ambv ambv deleted the backport-0976339-3.11 branch September 4, 2024 15:39
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@vstinner vstinner vstinner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ambv @vstinner @encukou