Email folding function Denial-of-Service¶
The email folding function enters an infinite loop if a header is longer than the policy maximum line length and contains many non-ASCII characters.
Regression introduced in Python 3.6.4.
- Disclosure date: 2018-05-16 (Python issue bpo-33529 reported)
Fixed In¶
- Python 3.6.9 (2019-07-03) fixed by commit 516a6a2 (branch 3.6) (2019-06-18)
- Python 3.7.4 (2019-07-09) fixed by commit 2fef5b0 (branch 3.7) (2019-05-14)
- Python 3.8.0 (2019-10-14) fixed by commit c1f5667 (branch 3.8) (2019-05-14)
Python issue¶
[security] Infinite loop on folding email (_fold_as_ew()) if an header has no spaces.
- Python issue: bpo-33529
- Creation date: 2018-05-16
- Reporter: Rad164
Timeline¶
Timeline using the disclosure date 2018-05-16 as reference:
- 2018-05-16: Python issue bpo-33529 reported by Rad164
- 2019-05-14 (+363 days): commit 2fef5b0 (branch 3.7)
- 2019-05-14 (+363 days): commit c1f5667 (branch 3.8)
- 2019-06-18 (+398 days): commit 516a6a2 (branch 3.6)
- 2019-07-03 (+413 days): Python 3.6.9 released
- 2019-07-09 (+419 days): Python 3.7.4 released
- 2019-10-14: Python 3.8.0 released