email.errors.HeaderParseError: header value appears to contain an embedded header:
Question
I am trying to restore mails using soap messages using office api's but it is giving 'header value appears to contain an embedded header' error for some mails. eg.
msg = MIMEMultipart()
msg['From'] = 'me@locmsglhost\r\nSubject: injected subject'
msg.as_string()
is throwing an error as email.errors.HeaderParseError: header value appears to contain an embedded header: 'me@locmsglhost\\nSubject: injected subject'
But if I am changing msg['From'] to
'hello\r man: man'
'tya: Hello'
'push@#$\r\nPus'
'Hello \n\r Pushpa: World'
'@\r\nhello : World'
then it is working as expected.
What could be the possible reasons and What sort of vulnerabilities would there be in mime message?
1 answers
solution1
0 2018-10-15 09:47:49
You cannot use any header as you want, that's forbidden.
As stated in Documentation ,
exception email.errors.HeaderParseError
... when an attempt is made to create a header that appears to contain an embedded header (that is, there is what is supposed to be a continuation line that has no leading whitespace and looks like a header).
Why it is dangerous and should be handled well?
First, you may read this , it provide a simple example how a SMTP header injection attack can be done.
You may ask how can it be done? I mean you are not letting anyone to edit your backend right?
Let's imagine, for you app there may be some field entered by user, for example 'message' ,
msg['message'] = 'abc' #Entered by user
That's ok, but what if
msg['message'] = 'abc\r\nreplyTo:attacker@hello.com'
#or
msg['message'] = 'abc\r\nTo:attacker@hello.com'
Attacker can easily override your email for like sending spam email. That's why it do the check for you.
You may even check if the header safe by
email.header.Header('string')
Let's take a look how python email library do the checking.
Searching in the source code, Lib/email/header.py
In ln50-52:
# Find a header embedded in a putative header value. Used to check for
# header injection attack.
_embedded_header = re.compile(r'\n[^ \t]+:')
You may try it, all example you provided can pass it except the one you stated.
As email header structure is always \\n(key_without_space): , so \\nhello : passed but not \\nhello: .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.