gh-143921: Reject control characters in IMAP commands

2026-01-30 11:12:06 +00:00 · 2026-01-20 14:45:42 -06:00 · 2026-01-20 14:45:42 -06:00 · 6262704b13
commit 6262704b13
parent 27a7160b8b
3 changed files with 10 additions and 1 deletions
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@ -129,7 +129,7 @@
 # We compile these in _mode_xxx.
 _Literal = br'.*{(?P<size>\d+)}$'
 _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
-
+_control_chars = re.compile(b'[\x00-\x1F\x7F]')


 class IMAP4:
@ -1105,6 +1105,8 @@ def _command(self, name, *args):
            if arg is None: continue
            if isinstance(arg, str):
                arg = bytes(arg, self._encoding)
+            if _control_chars.search(arg):
+                raise ValueError("Control characters not allowed in commands")
            data = data + b' ' + arg

        literal = self.literal
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@ -657,6 +657,12 @@ def test_unselect(self):
        self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
        self.assertEqual(client.state, 'AUTH')

+    def test_control_characters(self):
+        client, _ = self._setup(SimpleIMAPHandler)
+        for c0 in support.control_characters_c0():
+            with self.assertRaises(ValueError):
+                client.login(f'user{c0}', 'pass')
+
    # property tests

    def test_file_property_should_not_be_accessed(self):
--- a/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
@ -0,0 +1 @@
+Reject control characters in IMAP commands.