Email header injection in Address objects

It is possible to inject email headers using CR or LF character.

The fix disallows CR and LF characters in email.headerregistry.Address arguments to guard against header injection attacks.

  • Disclosure date: 2019-12-17 (Python issue bpo-39073 reported)

Fixed In

Vulnerable Versions

  • Python 3.5 (need release)

Python issue

email incorrect handling of crlf in Address objects.

  • Python issue: bpo-39073
  • Creation date: 2019-12-17
  • Reporter: Jasper Spaans

Timeline

Timeline using the disclosure date 2019-12-17 as reference: