Re: CPython CVE-2024-6923: Email header injection due to unquoted newlines

[Hanno Böck <hanno () hboeck de>]

Hi,

For what it's worth, I found a somewhat similar issue in PHP not so
long ago.

PHP has two interfaces to pass additional mail headers, one just passing
a multiline string (which unavoidably creates injection risks), and
another one with an array. The latter can avoid newline injections, but
it only did so for "\r\n", not for "\n". (Whether that'll be accepted
depends I believe on the mail server, but most will *ceterum censeo
Hanno moaning about the misguided robustness principle*...)

I hadn't really seen this as a security vulnerability, more a hardening
issue, so I reported it as a suggestion to PHP, and they improved their
filtering. It was fixed/improved:
https://github.com/php/php-src/issues/13402

-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/