Message 345879 - Python tracker (original) (raw)

Python 2.7 doesn't have email.policy module.

For Python 2.7, I wrote this code:

import email.header import email.message

msg = email.message.Message() msg.set_charset("UTF-8") msg['Subject'] = email.header.Header(u'\u0105' * 12, maxlinelen=20, charset="UTF-8") print(msg.as_string())

I get this output:

MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Subject: =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?= =?utf-8?b?xIU=?=

I have no idea if this example says that Python 2.7 is vulnerable or not. I get a different output on the master branch:

MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Subject: =?utf-8?b?xIXEhcSFxIXEhcSFxIXEhcSFxIXEhcSF?=

But I don't know if I use the email API properly. "Subject: =?utf-8?b?xIXEhcSFxIXEhcSFxIXEhcSFxIXEhcSF?=" is longer than 20 characters.