REST server allows values for MailingList.description that will break email processing
The contents of the MailingList.description
is used to compose the List-Id
header. The documentation states that it should be a terse phrase, however no check is done on the REST server. If a value with a newline and an URL (for example) is used there, it will break email processing because Python will think it may be an embedded header (a header inside another header) and it can be a header injection attack.
To make things worse, the widget used for the description in Postorius is a textarea field, so it encourages newlines. Exemple with my folks who wanted to set this description this morning:
Fedora Diversity Team
https://fedoraproject.org/wiki/Diversity
Afterwards, I get this traceback in my logs:
Aug 09 11:48:17 2016 (18143) Uncaught runner exception: header value appears to contain an embedded header: '"Fedora Diversity Team\nhttps://fedoraproject.org/wiki/Diversity" <diversity@lists.fedoraproject.org>'
Aug 09 11:48:17 2016 (18143) Traceback (most recent call last):
File "/usr/lib/python3.4/site-packages/mailman/core/runner.py", line 159, in _one_iteration
self._process_one_file(msg, msgdata)
File "/usr/lib/python3.4/site-packages/mailman/core/runner.py", line 252, in _process_one_file
keepqueued = self._dispose(mlist, msg, msgdata)
File "/usr/lib/python3.4/site-packages/mailman/runners/pipeline.py", line 37, in _dispose
process(mlist, msg, msgdata, pipeline)
File "/usr/lib/python3.4/site-packages/mailman/core/pipelines.py", line 53, in process
handler.process(mlist, msg, msgdata)
File "/usr/lib/python3.4/site-packages/mailman/handlers/to_digest.py", line 48, in process
mbox.add(msg)
File "/usr/lib64/python3.4/mailbox.py", line 601, in add
self._toc[self._next_key] = self._append_message(message)
File "/usr/lib64/python3.4/mailbox.py", line 752, in _append_message
offsets = self._install_message(message)
File "/usr/lib64/python3.4/mailbox.py", line 824, in _install_message
self._dump_message(message, self._file, self._mangle_from_)
File "/usr/lib64/python3.4/mailbox.py", line 214, in _dump_message
gen.flatten(message)
File "/usr/lib64/python3.4/email/generator.py", line 112, in flatten
self._write(msg)
File "/usr/lib64/python3.4/email/generator.py", line 195, in _write
self._write_headers(msg)
File "/usr/lib64/python3.4/email/generator.py", line 422, in _write_headers
self._fp.write(self.policy.fold_binary(h, v))
File "/usr/lib64/python3.4/email/_policybase.py", line 325, in fold_binary
folded = self._fold(name, value, sanitize=self.cte_type=='7bit')
File "/usr/lib64/python3.4/email/_policybase.py", line 353, in _fold
maxlinelen=self.max_line_length))
File "/usr/lib64/python3.4/email/header.py", line 393, in encode
"an embedded header: {!r}".format(value))
email.errors.HeaderParseError: header value appears to contain an embedded header: '"Fedora Diversity Team\nhttps://fedoraproject.org/wiki/Diversity" <diversity@lists.fedoraproject.org>'
Aug 09 11:48:17 2016 (18143) SHUNTING: 1470743297.6160038+bb3d261f8ad3d8fa29756003e054b2758a28da5e
The Python email library will refuse to encode the email to string, things break.
I suggest that the REST endpoint should validate the description value and make sure it contains no newlines. Postorius should also be fixed to use a simple input widget and not a textarea.