Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

email CVE and IP CVE for 3.11 #81

Merged
merged 2 commits into from
Aug 16, 2024
Merged

email CVE and IP CVE for 3.11 #81

merged 2 commits into from
Aug 16, 2024

Conversation

stratakis
Copy link
Member

No description provided.

encukou and others added 2 commits August 16, 2024 01:42
@encukou @stratakis
00431: pythongh-113171: pythongh-65056: Fix "private" (non-global) IP…
234aea1 
… address ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177) (pythonGH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
@encukou @basbloemsaat
@serhiy-storchaka @stratakis
00435: pythongh-121650: Encode newlines in headers, and verify header…
b23c8a0 
…s are sound (pythonGH-122233)

Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

This should fail for custom fold() implementations that aren't careful
about newlines.

(cherry picked from commit 0976339)

Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Bas Bloemsaat <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
@stratakis stratakis changed the title email CVE and IP CVE email CVE and IP CVE for 3.11 Aug 15, 2024
@stratakis stratakis merged commit b23c8a0 into fedora-python:fedora-3.11 Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stratakis @encukou