[issue32606] Email Header Injection Protection Bypass

Cheryl Sabella added the comment: Should this be closed as 'not a bug'? -- nosy: +cheryl.sabella ___ Python tracker ___ ___ Python-

[issue32606] Email Header Injection Protection Bypass

R. David Murray added the comment: Yes. There's this thing called Postel's Law that says you should be generous in what you accept and careful in what you emit. So most MTAs and MUAs try very hard to guess what a non-RFC-compliant email is trying to say, which includes allowing spaces betwe

[issue32606] Email Header Injection Protection Bypass

Nitish added the comment: RFC 5322[1] says that header field's name can't have space in it and the must be immediately followed by the ':' character. Is it common for SMTP servers to accept messages with ' ' before ':'? [1] https://tools.ietf.org/html/rfc5322#section-2.2 -- nosy: +n

[issue32606] Email Header Injection Protection Bypass

Change by Dalton Campbell : -- nosy: +barry ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pytho

[issue32606] Email Header Injection Protection Bypass

New submission from Dalton Campbell : The protection's implemented in https://github.com/python/cpython/blob/master/Lib/email/header.py to prevent Email Header injection can be bypassed by specifying an injected additional header in the following format: exam...@python.org\ncc :injec...@python