Open
Description
For example, forwarding a mail message containing an attachment with a folded content-disposition header:
...
Content-Disposition: attachment;
filename="Foo Bar Technology - Data Centre Hardware Maintenance and
Monitoring (December 2021).pdf"; size=599285;
creation-date="Thu, 04 Aug 2022 14:17:36 GMT";
modification-date="Thu, 04 Aug 2022 14:21:02 GMT"
Content-Transfer-Encoding: base64
...
Results in the following attachment file
$ ls /tmp/dodo-n0njogin
'Foo Bar Technology - Data Centre Hardware Maintenance and'$'\n'' Monitoring (December 2021).pdf'
and the following mail composition template;
From: example@example.org
To:recipient@foobar.org
Subject: FW: Hardware Maintenance manual
A: Foo Bar Technology - Data Centre Hardware Maintenance and
Monitoring (December 2021).pdf
Upon sending this forwarded mail, the exception Header values may not contain linefeed or carriage return characters is thrown
The presence of newline characters in the filename of the attachments may also have (security) implications with certain file management tools and scripts.
The issue is due to a bug in the get_filename() method of the (legacy) email.message.Message class. This bug is not present in the EmailMessage class:
$ python
>>> import email
>>> import email.policy
>>> f = open('mail.txt','r')
>>> msg = email.message_from_file(f)
>>> for part in msg.walk():
... print(part.get_filename())
...
None
None
None
None
Foo Bar Technology - Data Centre Hardware Maintenance and
Monitoring (December 2021).pdf
>>> f = open('mail.txt','r')
>>> msg = email.message_from_file(f,policy=email.policy.default)
>>> for part in msg.walk():
... print(part.get_filename())
...
None
None
None
None
Foo Bar Technology - Data Centre Hardware Maintenance and Monitoring (December 2021).pdf
Metadata
Metadata
Assignees
Labels
No labels