[CVE-2024-6923] Encode newlines in headers, and verify headers are sound

The :mod:`~email.generator` will now refuse to serialize (write) headers
that are improperly folded or delimited, such that they would be parsed as
multiple headers or joined with adjacent data.
If you need to turn this safety feature off,
set `~email.policy.Policy.verify_generated_headers`.

Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.

They do need to be properly quoted when serialized to text, though.

Fixes: gh#python#121650
Fixes: bsc#1228780 (CVE-2024-6923)
From-PR: gh#python/cpython!122233
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Bas Bloemsaat <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Jakub Stasiak <[email protected]>
Patch: CVE-2024-6923-email-hdr-inject.patch

Author: 4 people

Doc/library/email.errors.rst

@@ -59,6 +59,12 @@ The following exception classes are defined in the :mod:`email.errors` module:
    :class:`~email.mime.image.MIMEImage`).
 
 
+.. exception:: HeaderWriteError()
+
+   Raised when an error occurs when the :mod:`~email.generator` outputs
+   headers.
+
+
 Here is the list of the defects that the :class:`~email.parser.FeedParser`
 can find while parsing messages.  Note that the defects are added to the message
 where the problem was found, so for example, if a message nested inside a

Doc/library/email.policy.rst

@@ -229,6 +229,24 @@ added matters.  To illustrate::
 
       .. versionadded:: 3.6
 
+
+   .. attribute:: verify_generated_headers
+
+      If ``True`` (the default), the generator will raise
+      :exc:`~email.errors.HeaderWriteError` instead of writing a header
+      that is improperly folded or delimited, such that it would
+      be parsed as multiple headers or joined with adjacent data.
+      Such headers can be generated by custom header classes or bugs
+      in the ``email`` module.
+
+      As it's a security feature, this defaults to ``True`` even in the
+      :class:`~email.policy.Compat32` policy.
+      For backwards compatible, but unsafe, behavior, it must be set to
+      ``False`` explicitly.
+
+      .. versionadded:: 3.13
+
+
    The following :class:`Policy` method is intended to be called by code using
    the email library to create policy instances with custom settings: