[issue36041] email: folding of quoted string in display_name violates RFC

Tue, 19 Feb 2019 08:48:09 -0800 


New submission from Aaryn Tonita <aa...@startmail.com>:

When using a policy for an EmailMessage that triggers folding (during 
serialization) of a fairly long display_name in an address field, the folding 
process removes the quotes from the display name breaking the semantics of the 
field.

In particular, for a From address's display name like r'anyth...@anything.com ' 
+ 'a' * MAX_LINE_LEN the folding puts anyth...@anything.com unquoted 
immediately after the From: header. For applications that do sender 
verification inside and then send it to an internal SMTP server that does not 
perform its own sender verification this could be considered a security issue 
since it enables sender spoofing. Receiving mail servers might be able to 
detect the broken header, but experiments show that the mail gets delivered.

Simple demonstration (reproduced in attachment) of issue:

SMTP_POLICY = email.policy.default.clone(linesep='\r\n', max_line_length=72)
address = Address(display_name=r'anyth...@anything.com ' + 'a' * 72, 
addr_spec='d...@local.startmail.org')

message = EmailMessage(policy=SMTP_POLICY)
message['From'] = Address(display_name=display_name, addr_spec=addr_spec)

# Trigger folding (via as_string()), then parse it back in.
msg_string = message.as_string()
msg_bytes = msg_string.encode('utf-8')
msg_deserialized = BytesParser(policy=SMTP_POLICY).parsebytes(msg_bytes)

# Verify badness
from_hdr = msg_deserialized['From']
assert from_hdr != str(address)  # But they should be equal...

----------
components: email
files: address_folding_bug.py
messages: 335975
nosy: aaryn.startmail, barry, r.david.murray
priority: normal
severity: normal
status: open
title: email: folding of quoted string in display_name violates RFC
type: behavior
versions: Python 3.5, Python 3.6, Python 3.7
Added file: https://bugs.python.org/file48155/address_folding_bug.py

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue36041>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to