Issue 34104: email.message.get_payload should enforce correct encoding
Created on 2018-07-12 18:25 by droz, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Messages (2) | |||
|---|---|---|---|
| msg321574 - (view) | Author: Serge Droz (droz) | Date: 2018-07-12 18:25 | |
The issue is really this: https://noxxi.de/research/mime-5-easy-steps-to-bypass-av.html get_payload should with decode=Treu should check the validity of the syntax and throw an error if it is not. This would happen if the underlying call to base64.decode would be called with validate=True |
|||
| msg321579 - (view) | Author: R. David Murray (r.david.murray) *  |
Date: 2018-07-12 19:54 | |
It looks like the virus checkers are not doing robust decoding that the email RFCs recommend, and that thunderbird is. This is obviously a bug in the virus scanners. By default, like thunderbird, the email library does its best to decode attachments. If you want your application to reject such attachments, then in python3 you can check for defects after doing the get_payload, or you can set the policy to 'strict' (that is, raise_on_defect=True) when parsing the email. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:03 | admin | set | github: 78285 |
| 2018-07-12 19:54:35 | r.david.murray | set | status: open -> closed nosy:
+ r.david.murray resolution: out of date |
| 2018-07-12 18:25:32 | droz | set | type: security |
| 2018-07-12 18:25:22 | droz | create | |