.. _email-address-header-injection:

Email header injection in Address objects
=========================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

It is possible to inject email headers using CR or LF character.

The fix disallows CR and LF characters in ``email.headerregistry.Address``
arguments to guard against header injection attacks.

Dates:

* Disclosure date: **2019-12-17** (Python issue bpo-39073 reported)

Fixed In
--------

* Python **3.5.10** (2020-09-05) fixed by `commit f91a0b6 (branch 3.5) <https://github.com/python/cpython/commit/f91a0b6df14d6c5133fe3d5889fad7d84fc0c046>`_ (2020-06-12)
* Python **3.6.11** (2020-06-27) fixed by `commit 7df32f8 (branch 3.6) <https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90>`_ (2020-05-27)
* Python **3.7.8** (2020-06-27) fixed by `commit a93bf82 (branch 3.7) <https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb>`_ (2020-05-27)
* Python **3.8.4** (2020-07-13) fixed by `commit 75635c6 (branch 3.8) <https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f>`_ (2020-05-27)
* Python **3.9.0** (2020-10-05) fixed by `commit 614f172 (branch 3.9) <https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f>`_ (2020-03-30)

Python issue
------------

[security] email module incorrect handling of CR and LF newline characters in Address objects.

* Python issue: `bpo-39073 <https://bugs.python.org/issue39073>`_
* Creation date: 2019-12-17
* Reporter: Jasper Spaans

Timeline
--------

Timeline using the disclosure date **2019-12-17** as reference:

* 2019-12-17: `Python issue bpo-39073 <https://bugs.python.org/issue39073>`_ reported by Jasper Spaans
* 2020-03-30 (**+104 days**): `commit 614f172 (branch 3.9) <https://github.com/python/cpython/commit/614f17211c5fc0e5b828be1d3320661d1038fe8f>`_
* 2020-05-27 (**+162 days**): `commit 75635c6 (branch 3.8) <https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f>`_
* 2020-05-27 (**+162 days**): `commit 7df32f8 (branch 3.6) <https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90>`_
* 2020-05-27 (**+162 days**): `commit a93bf82 (branch 3.7) <https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb>`_
* 2020-06-12 (**+178 days**): `commit f91a0b6 (branch 3.5) <https://github.com/python/cpython/commit/f91a0b6df14d6c5133fe3d5889fad7d84fc0c046>`_
* 2020-06-27 (**+193 days**): Python 3.6.11 released
* 2020-06-27 (**+193 days**): Python 3.7.8 released
* 2020-07-13 (**+209 days**): Python 3.8.4 released
* 2020-09-05 (**+263 days**): Python 3.5.10 released
* 2020-10-05: Python 3.9.0 released