Home Original page

Message 342466 - Python tracker

Message342466

Author r.david.murray
Recipients barry, matrixise, msapiro, r.david.murray
Date 2019-05-14.14:34:28
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1557844468.91.0.568603737918.issue36910@roundup.psfhosted.org>
In-reply-to
Content 
Not a security issue, no.  This isn't C where a stack overflow can give an attacker a vector for injecting arbitrary code.

Per the Parser contract ("raise no exceptions, only register defects"), this should, as you say, register a defect (email.errors.InvalidMultipartContentTransferEncodingDefect) and assume a CTE of 7bit for the rest of the parsing.  The problem here is that the feedparser is running into the "hack" I put in place in python3.2 for dealing with invalid binary data in headers (which is to turn it into a Header with charset unknown-8bit).  That works most of the time, but in cases like this it breaks down :(

Note that the new API (policy=default and friends) handles this without error.
History
Date User Action Args
2019-05-14 14:34:28r.david.murraysetrecipients: + r.david.murray, barry, msapiro, matrixise
2019-05-14 14:34:28r.david.murraysetmessageid: <1557844468.91.0.568603737918.issue36910@roundup.psfhosted.org>
2019-05-14 14:34:28r.david.murraylinkissue36910 messages
2019-05-14 14:34:28r.david.murraycreate