[3.8] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28036)

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Sun, 29 Aug 2021 15:04:17 +0000 (08:04 -0700)

committer GitHub <noreply@github.com>

Sun, 29 Aug 2021 15:04:17 +0000 (17:04 +0200)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Sun, 29 Aug 2021 15:04:17 +0000 (08:04 -0700)
committer GitHub <noreply@github.com>
Sun, 29 Aug 2021 15:04:17 +0000 (17:04 +0200)
diff --git a/Lib/smtplib.py b/Lib/smtplib.py

index 4c5ba7e10d0d9d30327ecdc49e31781db5b12813..9c390db0bfa7d1d67fc0dd99e4ff9a1515b308e6 100755 (executable)
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -365,10 +365,15 @@ class SMTP:
      def putcmd(self, cmd, args=""):
          """Send a command to the server."""
          if args == "":
-            str = '%s%s' % (cmd, CRLF)
+            s = cmd
          else:
-            str = '%s %s%s' % (cmd, args, CRLF)
-        self.send(str)
+            s = f'{cmd} {args}'
+        if '\r' in s or '\n' in s:
+            s = s.replace('\n', '\\n').replace('\r', '\\r')
+            raise ValueError(
+                f'command and arguments contain prohibited newline characters: {s}'
+            )
+        self.send(f'{s}{CRLF}')
  
      def getreply(self):
          """Get a reply from the server.
diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py

index c9205ae7ffa501aa930bdb7741257244d8255e92..d14eb455bc9ed7172883c2e9d73291cce39675e5 100644 (file)
--- a/Lib/test/test_smtplib.py
+++ b/Lib/test/test_smtplib.py
@@ -294,6 +294,16 @@ class DebuggingServerTests(unittest.TestCase):
          self.assertEqual(smtp.getreply(), expected)
          smtp.quit()
  
+    def test_issue43124_putcmd_escapes_newline(self):
+        # see: https://bugs.python.org/issue43124
+        smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost',
+                            timeout=10)  # support.LOOPBACK_TIMEOUT in newer Pythons
+        self.addCleanup(smtp.close)
+        with self.assertRaises(ValueError) as exc:
+            smtp.putcmd('helo\nX-INJECTED')
+        self.assertIn("prohibited newline characters", str(exc.exception))
+        smtp.quit()
+
      def testVRFY(self):
          smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=3)
          self.addCleanup(smtp.close)
@@ -369,6 +379,51 @@ class DebuggingServerTests(unittest.TestCase):
          mexpect = '%s%s\n%s' % (MSG_BEGIN, m, MSG_END)
          self.assertEqual(self.output.getvalue(), mexpect)
  
+    def test_issue43124_escape_localhostname(self):
+        # see: https://bugs.python.org/issue43124
+        # connect and send mail
+        m = 'wazzuuup\nlinetwo'
+        smtp = smtplib.SMTP(HOST, self.port, local_hostname='hi\nX-INJECTED',
+                            timeout=10)  # support.LOOPBACK_TIMEOUT in newer Pythons
+        self.addCleanup(smtp.close)
+        with self.assertRaises(ValueError) as exc:
+            smtp.sendmail("hi@me.com", "you@me.com", m)
+        self.assertIn(
+            "prohibited newline characters: ehlo hi\\nX-INJECTED",
+            str(exc.exception),
+        )
+        # XXX (see comment in testSend)
+        time.sleep(0.01)
+        smtp.quit()
+
+        debugout = smtpd.DEBUGSTREAM.getvalue()
+        self.assertNotIn("X-INJECTED", debugout)
+
+    def test_issue43124_escape_options(self):
+        # see: https://bugs.python.org/issue43124
+        # connect and send mail
+        m = 'wazzuuup\nlinetwo'
+        smtp = smtplib.SMTP(
+            HOST, self.port, local_hostname='localhost',
+            timeout=10)  # support.LOOPBACK_TIMEOUT in newer Pythons
+
+        self.addCleanup(smtp.close)
+        smtp.sendmail("hi@me.com", "you@me.com", m)
+        with self.assertRaises(ValueError) as exc:
+            smtp.mail("hi@me.com", ["X-OPTION\nX-INJECTED-1", "X-OPTION2\nX-INJECTED-2"])
+        msg = str(exc.exception)
+        self.assertIn("prohibited newline characters", msg)
+        self.assertIn("X-OPTION\\nX-INJECTED-1 X-OPTION2\\nX-INJECTED-2", msg)
+        # XXX (see comment in testSend)
+        time.sleep(0.01)
+        smtp.quit()
+
+        debugout = smtpd.DEBUGSTREAM.getvalue()
+        self.assertNotIn("X-OPTION", debugout)
+        self.assertNotIn("X-OPTION2", debugout)
+        self.assertNotIn("X-INJECTED-1", debugout)
+        self.assertNotIn("X-INJECTED-2", debugout)
+
      def testSendNullSender(self):
          m = 'A test message'
          smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=3)
diff --git a/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst b/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst

new file mode 100644 (file)

index 0000000..e897d6c
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst
@@ -0,0 +1,2 @@
+Made the internal ``putcmd`` function in :mod:`smtplib` sanitize input for
+presence of ``\r`` and ``\n`` characters to avoid (unlikely) command injection.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Sun, 29 Aug 2021 15:04:17 +0000 (08:04 -0700)
committer	GitHub <noreply@github.com>
	Sun, 29 Aug 2021 15:04:17 +0000 (17:04 +0200)
Lib/smtplib.py		patch \| blob \| blame \| history
Lib/test/test_smtplib.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst	[new file with mode: 0644]	patch \| blob