R. David Murray 5b2d9ddf69 #5871: protect against header injection attacks. ...

This makes Header.encode throw a HeaderParseError if it winds up
formatting a header such that a continuation line has no leading
whitespace and looks like a header.  Since Header accepts values
containing newlines and preserves them (and this is by design), without
this fix any program that took user input (say, a subject in a web form)
and passed it to the email package as a header was vulnerable to header
injection attacks.  (As far as we know this has never been exploited.)

Thanks to Jakub Wilk for reporting this vulnerability.

2011-01-09 02:35:24 +00:00

..

mime

…

test

#5871: protect against header injection attacks.

2011-01-09 02:35:24 +00:00

__init__.py

#4661: add bytes parsing and generation to email (email version bump to 5.1.0)

2010-10-08 15:55:28 +00:00

_parseaddr.py

#1155362: allow hh:mm:ss-uuuu like we allow hh:mm:ss+uuuu in parsedate_tz

2010-12-23 20:35:46 +00:00

base64mime.py

Issue #4770: Restrict binascii module to accept only bytes (as specified).

2010-07-27 21:20:15 +00:00

charset.py

#10686: recode non-ASCII headers to 'unknown-8bit' instead of ?s.

2011-01-07 23:25:30 +00:00

encoders.py

#4768: store base64 encoded email body parts as text, not binary.

2010-06-04 16:11:08 +00:00

errors.py

…

feedparser.py

#4661: add bytes parsing and generation to email (email version bump to 5.1.0)

2010-10-08 15:55:28 +00:00

generator.py

Fix the change made for issue 1243654.

2010-12-21 18:07:59 +00:00

header.py

#5871: protect against header injection attacks.

2011-01-09 02:35:24 +00:00

iterators.py

…

message.py

#10686: recode non-ASCII headers to 'unknown-8bit' instead of ?s.

2011-01-07 23:25:30 +00:00

parser.py

Properly close a temporary TextIOWrapper in 'email'.

2010-10-29 23:08:13 +00:00

quoprimime.py

#10004: in Q encoded word ignore '=xx' when xx is not valid hex.

2010-10-01 15:40:20 +00:00

utils.py

#8989: add 'domain' keyword to make_msgid.

2010-12-02 21:47:19 +00:00