Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

email.generator.Generator ignores policy when using multipart/signed → ruins signing #99533

Open
e3rd opened this issue Nov 16, 2022 · 0 comments
Open

email.generator.Generator ignores policy when using multipart/signed → ruins signing #99533

e3rd opened this issue Nov 16, 2022 · 0 comments
Labels
stdlib Python modules in the Lib dir topic-email type-bug An unexpected behavior, bug, or error

Comments

@e3rd
Copy link

e3rd commented Nov 16, 2022
edited by bedevere-bot
Loading

Bug report

EmailMessage behaves differently when being set to multipart/signed mimetype.

from email.message import EmailMessage

inner = EmailMessage()
inner.add_attachment("some data", "text/plain", filename="*"*35)

outer1 = EmailMessage()
outer1.set_type("multipart/signed")  # affected by generator.py/_handle_multipart_signed
outer1.attach(inner)

outer2 = EmailMessage()
outer2.set_type("multipart/signeX")  # not affected by generator.py/_handle_multipart_signed
outer2.attach(inner)

# When accessing given submessage, nothing weird happens
outer1.get_payload()[0].as_string() == outer2.get_payload()[0].as_string()  # True

# However, when accessing whole message at once, headers folding change for the outer1 `multipart/signed` message
inner.as_string() in outer1.as_string()  # !False!
inner.as_string() in outer2.as_string()  # True

This is due to a 13 years old generator.py code that for an unknown reason rewrites the policy so that no header was folded:

    def _handle_multipart_signed(self, msg):
        # The contents of signed parts has to stay unmodified in order to keep
        # the signature intact per RFC1847 2.1, so we disable header wrapping.
        # RDM: This isn't enough to completely preserve the part, but it helps.
        p = self.policy
        self.policy = p.clone(max_line_length=0)
        try:
            self._handle_multipart(msg)
        finally:
            self.policy = p

As a result, when I GPG-sign the inner message and attach it to a wrapping-outer message along with the signature (which is the right thing), the signature is void because policy being ignored, the headers folding got disabled on the output. I understand the method _handle_multipart_signed should help the message signing but it ruins it instead. One dirty solution would be to set the policy to max_line_length=0 which fails for whatever reason:

from email import policy
pol = policy.default.clone(max_line_length=0)
inner = EmailMessage(policy=pol)
inner.add_attachment("some data", "text/plain", filename="*"*35)  # ValueError: maxlinelen must be at least 4

Therefore, I am not able to sign the inner message with the headers fold (as it is output unfold), not I am able to sign the inner message with the headers unfold (as ValueError prevents me to set the policy to not stop folding headers).

So my proposal is to remove _handle_multipart_signed altogether (which would be sufficient) or to find a use-case where it does make sense (I could not find any).

Your environment

  • CPython versions tested on: Python 3.10.6
  • Operating system and architecture: Ubuntu 22.04.1 LTS x86_64

Linked PRs
@e3rd e3rd added the type-bug An unexpected behavior, bug, or error label Nov 16, 2022
@e3rd e3rd mentioned this issue Nov 16, 2022
Closed
jackpendley added a commit to jackpendley/cpython that referenced this issue Dec 12, 2022
@jackpendley
Removed def _handle_multipart_signed from generator.py file to solve …
0e07b96 
…issue python#99533 where EmailMessage behaves differently when being set to multipart/signed mimetype
jackpendley added a commit to jackpendley/cpython that referenced this issue Dec 12, 2022
@jackpendley
Added unit test to test_email.py to ensure removing def _handle_multi…
6458267 
…part_signed would resolve issue python#99533
@bedevere-bot bedevere-bot mentioned this issue Dec 13, 2022
Open
@arhadthedev arhadthedev added stdlib Python modules in the Lib dir topic-email labels Feb 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir topic-email type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arhadthedev @e3rd