pythongh-127794: Validate header name according rfc-5322 and allow on…

…ly printable ascii characters
srinivasreddy · Dec 11, 2024 · 901a91c · 901a91c
1 parent db9bea0
commit 901a91c
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/Lib/email/message.py b/Lib/email/message.py
@@ -564,6 +564,14 @@ def add_header(self, _name, _value, **_params):
         msg.add_header('content-disposition', 'attachment',
                        filename='Fußballer.ppt'))
         """
+        # Validate header name according to RFC 5322
+        if not _name or ' ' in _name or '\t' in _name or ':' in _name:
+            raise ValueError(f"Invalid header field name {_name!r}")
+
+        # Only allow printable ASCII characters
+        if any(ord(c) < 33 or ord(c) > 126 for c in _name):
+            raise ValueError(f"Header field name {_name!r} contains invalid characters")
+
         parts = []
         for k, v in _params.items():
             if v is None: