Skip to content

[3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) #15446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
larryhastings merged 3 commits into from
Sep 7, 2019
Merged

[3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) #15446

larryhastings merged 3 commits into from
Sep 7, 2019

Conversation

@maxking
Copy link
Contributor

@maxking maxking commented Aug 24, 2019
edited
Loading

  • bpo-37461: Fix infinite loop in parsing of specially crafted email headers.

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994b)

Co-authored-by: Abhilash Raj [email protected]

https://bugs.python.org/issue37461

@maxking
[3.5] bpo-37461: Fix infinite loop in parsing of specially crafted em…
235bc86 
…ail headers (pythonGH-14794)

* bpo-37461: Fix infinite loop in parsing of specially crafted email headers.

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994b)

Co-authored-by: Abhilash Raj <[email protected]>
@maxking maxking requested a review from larryhastings August 24, 2019 04:55
@bedevere-bot bedevere-bot added the type-security A security issue label Aug 24, 2019
@maxking maxking changed the title [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted em… [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) Aug 24, 2019
epicfaace
epicfaace suggested changes Aug 26, 2019
View reviewed changes
@larryhastings larryhastings merged commit c28e4a5 into python:3.5 Sep 7, 2019
@bedevere-bot
Copy link

bedevere-bot commented Sep 7, 2019

@larryhastings: Please replace # with GH- in the commit message next time. Thanks!

@larryhastings
Copy link
Contributor

larryhastings commented Sep 7, 2019

Thanks for the 3.5 backport love!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@larryhastings larryhastings Awaiting requested review from larryhastings

1 more reviewer

@epicfaace epicfaace epicfaace requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@maxking @bedevere-bot @larryhastings @epicfaace @the-knights-who-say-ni