堆栈内存溢出
  简体   繁体   English

email.errors.HeaderParseError:标头值似乎包含嵌入式标头:

[英]email.errors.HeaderParseError: header value appears to contain an embedded header:

 原文  2018-10-15 08:51:35       python/ security/ mime-types/ code-injection

问题描述

I am trying to restore mails using soap messages using office api's but it is giving 'header value appears to contain an embedded header' error for some mails. 我正在尝试使用Office api使用肥皂消息来还原邮件,但是它为某些邮件给出了“标头值似乎包含嵌入式标头”错误。 eg. 例如。 

msg = MIMEMultipart()
msg['From'] = 'me@locmsglhost\r\nSubject: injected subject'
msg.as_string()

is throwing an error as email.errors.HeaderParseError: header value appears to contain an embedded header: 'me@locmsglhost\\nSubject: injected subject' 发生错误,因为email.errors.HeaderParseError:标头值似乎包含嵌入式标头:“ me @ locmsglhost \\ nSubject:注入的主题”

But if I am changing msg['From'] to 但是如果我将msg ['From']更改为 

'hello\r man: man'
'tya: Hello'
'push@#$\r\nPus'
'Hello \n\r Pushpa: World'
'@\r\nhello : World'

then it is working as expected. 然后它按预期工作。

What could be the possible reasons and What sort of vulnerabilities would there be in mime message? 可能是什么原因?哑剧消息中将存在哪些漏洞?

1 个解决方案

解决方案1
 0  2018-10-15 09:47:49

You cannot use any header as you want, that's forbidden. 您不能随意使用任何标题,这是被禁止的。

As stated in Documentation , 文档中所述

exception email.errors.HeaderParseError email.errors.HeaderParseError异常

... when an attempt is made to create a header that appears to contain an embedded header (that is, there is what is supposed to be a continuation line that has no leading whitespace and looks like a header). ...当试图创建一个似乎包含嵌入式标头的标头时(也就是说,应该有一个没有前导空格并且看起来像标头的续行)。

Why it is dangerous and should be handled well? 为什么它很危险并且应该妥善处理?

First, you may read this , it provide a simple example how a SMTP header injection attack can be done. 首先,您可能读过这篇文章 ,它提供了一个简单的示例如何进行SMTP标头注入攻击。

You may ask how can it be done? 您可能会问怎么做? I mean you are not letting anyone to edit your backend right? 我的意思是您不让任何人编辑您的后端吗?

Let's imagine, for you app there may be some field entered by user, for example 'message' , 想象一下,对于您的应用程序,用户可能会输入一些字段,例如'message' 

msg['message'] = 'abc' #Entered by user

That's ok, but what if 没关系,但是如果 

msg['message'] = 'abc\r\nreplyTo:attacker@hello.com'
#or
msg['message'] = 'abc\r\nTo:attacker@hello.com'

Attacker can easily override your email for like sending spam email. 攻击者可以轻松地覆盖您的电子邮件,例如发送垃圾邮件。 That's why it do the check for you. 这就是为什么它为您做检查。

You may even check if the header safe by 您甚至可以通过以下方式检查标题是否安全 

email.header.Header('string')

Let's take a look how python email library do the checking. 让我们看一下python电子邮件库如何进行检查。

Searching in the source code, Lib/email/header.py 搜索源代码Lib/email/header.py

In ln50-52: 在ln50-52中: 

# Find a header embedded in a putative header value.  Used to check for
# header injection attack.
_embedded_header = re.compile(r'\n[^ \t]+:')

You may try it, all example you provided can pass it except the one you stated. 您可以尝试一下,您提供的所有示例都可以通过,但您声明的示例除外。

As email header structure is always \\n(key_without_space): , so \\nhello : passed but not \\nhello: . 由于电子邮件标头结构始终为\\n(key_without_space): \\nhello :因此\\nhello :通过,但未传递\\nhello:

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django电子邮件表单中的HeaderParseError - HeaderParseError in django email form 在Python中验证电子邮件标题 - Validate Email Header in Python 当标头名称包含`_`下划线时,获取Django标头值的正确格式是什么 - What is the correct format to get Django Header value when Header name contain `_` underscore 解析电子邮件标题 - Parsing header of email text 从 header 添加到 email - Add from header in email Python电子邮件标头提取器 - Python email header extractor Python电子邮件头奇怪的行为 - Python email header strange behavior 可以包含0个或多个分配的函数头 - Function header that can contain 0 or more assignments Python和防止电子邮件标头注入 - Python and preventing email header injections email header 中的顺序重要吗? - Does order matter in email header?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM