[issue29462] RFC822-comments in email header fields can fool, e.g., get_filename()
Alessandro Vesely
report at bugs.python.org
Mon Feb 6 06:28:50 EST 2017
New submission from Alessandro Vesely:
Comments are allowed almost everywhere in an email message, and should be eliminated before attributing any meaning to a field. In the words of RFC5322, any CRLF that appears in FWS is semantically "invisible".
In particular, some note that comments can be used to deceive an email filter. For example, like so:
Content-Disposition: attachment;
filename=''attached%2E";
filename*1*="%62";
filename*2=(fool filters)at
(I don't know which, if any, email clients would execute that batch...)
Anyway, removing comments is needed for any structured header field. One is usually interested in the unfolded, de-commented value. It is difficult to do correctly, because of nesting and quoting possibilities.
This issue seems to be ignored, except for address lists (there is a getcomment() member in AddrlistClass). Why?
----------
components: email
messages: 287119
nosy: ale2017, barry, r.david.murray
priority: normal
severity: normal
status: open
title: RFC822-comments in email header fields can fool, e.g., get_filename()
type: behavior
versions: Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29462>
_______________________________________
More information about the Python-bugs-list
mailing list