Vamsi-klu commented on PR #69435:
URL: https://github.com/apache/airflow/pull/69435#issuecomment-4912281464

   Confirmed the root cause and the fix. build_mime_message and 
SmtpHook._build_mime_message both built Content-Disposition via an f-string, so 
a filename containing a double quote (e.g. report.txt"; x-evil="1) closes the 
quoted value and injects an extra parameter. Switching to 
part.add_header("Content-Disposition", "attachment", filename=basename) hands 
escaping to the stdlib. Ordinary names come out byte-identical to the old 
output (attachment; filename="report.txt"), names with a quote get 
backslash-escaped inside the quotes with no injected param, and non-ASCII names 
are RFC 2231 encoded; get_filename() round-trips in every case. Both call sites 
are fixed and each has a regression test that fails against the old f-string 
(asserts get_filename() equals the raw name and x-evil is not in the parsed 
params). I also checked the imap provider hook, which showed up in a search for 
the same pattern, but it only parses received Content-Disposition headers, so 
there is no third site to fi
 x. One nit: the description says RFC 2231-encoded, but for ASCII-with-quote 
inputs it is actually quoted-string backslash escaping (RFC 2231 only kicks in 
for non-ASCII) -- same security result, just worth correcting in the summary. 
Practical severity is limited since attachment filenames are usually 
operator/DAG-author controlled, so this is hardening more than a high-severity 
exploit. LGTM.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to