Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-31 21:51:50 +00:00
Code Issues Projects Releases Packages Wiki Activity

bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)

Browse source 
* bpo-37461: Fix infinite loop in parsing of specially crafted email headers.

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
This commit is contained in:
Abhilash Raj 2019-07-17 09:44:27 -07:00 committed by Barry Warsaw
parent 82494aa6d9
commit a4a994bd3e
3 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Lib/email/_header_value_parser.py
View file

@ -2496,6 +2496,9 @@ def get_parameter(value):
while value:
if value[0] in WSP:
token, value = get_fws(value)
elif value[0] == '"':
token = ValueTerminal('"', 'DQUOTE')
value = value[1:]
else:
token, value = get_qcontent(value)
v.append(token)