Bug 644147 - Patch for get_filename in email.message when content-disposition is missing
Summary: Patch for get_filename in email.message when content-disposition is missing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: python
Version: 5.5
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Dave Malcolm
QA Contact: Petr Šplíchal
URL:
Whiteboard:
Depends On:
Blocks: 649250
TreeView+ depends on / blocked
 
Reported: 2010-10-19 02:24 UTC by Masahiro Matsuya
Modified: 2018-10-27 11:47 UTC (History)
5 users (show)

Fixed In Version: python-2.4.3-36.el5
Doc Type: Bug Fix
Doc Text:
The email module incorrectly implemented the logic for obtaining attachment filenames: the get_filename() fallback for using the deprecated "name" parameter of the "Content-Type" header erroneously used the "Content-Disposition" header. This update backports a fix from Python 2.6, which resolves this issue.
Clone Of:
Environment:
Last Closed: 2011-01-13 23:10:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0027 0 normal SHIPPED_LIVE Low: python security, bug fix, and enhancement update 2011-01-13 10:58:29 UTC

Description Masahiro Matsuya 2010-10-19 02:24:21 UTC 
Description of problem:

This is a request to backport the following bugfix.

   http://bugs.python.org/issue7082

Case Summary:
============

Upstream bug: http://bugs.python.org/issue7082

message.get_filename() in python email incorrectly looks for a "name" parameter in Content-Disposition header when it does not find a "filename" parameter. This is wrong, since there is no such defined parameter. Instead, there is a "name" parameter in Content-Type header, which ought to be checked in case the "filename" parameter in content-Disposition does not exist.

Issues:
---------

* The issue impacts the customer of our customer, hence they need an urgent fix for this.
* The fix is trivial, but may be viewed as a behaviour change and hence not recommended for RHEL-5
* The "name" parameter for Content-Type is apparently deprecated:

http://www.imc.org/ietf-822/old-archive2/msg02121.html

but a number of applications still use it (Microsoft's .Net framework) and hence needs to be supported.


Version-Release number of selected component (if applicable):
python-2.4.3-27

How reproducible:
Always


Actual results:
message.get_filename() in python email incorrectly looks for a "name" parameter in Content-Disposition header when it does not find a "filename" parameter

Expected results:
Content-Type header should be checked

Additional info:

patch:
svn co http://svn.python.org/projects/python/trunk python
svn diff -r75300:75301
Comment 9 Eva Kopalova 2010-12-20 10:20:34 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The email module incorrectly implemented the logic for obtaining attachment filenames: the get_filename() fallback for using the deprecated "name" parameter of the "Content-Type" header erroneously used the "Content-Disposition" header. This update backports a fix from Python 2.6, which resolves this issue.
Comment 11 errata-xmlrpc 2011-01-13 23:10:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0027.html
Note You need to log in before you can comment on or make changes to this bug.