[issue32606] Email Header Injection Protection Bypass
R. David Murray
report at bugs.python.org
Sat Jan 27 22:56:39 EST 2018
R. David Murray <rdmurray at bitdance.com> added the comment:
Yes.
There's this thing called Postel's Law that says you should be generous in what you accept and careful in what you emit. So most MTAs and MUAs try very hard to guess what a non-RFC-compliant email is trying to say, which includes allowing spaces between the label and the colon (which I believe was legal at least in RFC 822, though I haven't checked). If there's a space in the label, the handling for that is less predictable. The email library's default is to treat that as a non-header line and therefor the start of the body (even if not followed by a blank line).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32606>
_______________________________________
More information about the Python-bugs-list
mailing list