spf.py crash on invalid SPF record, say "ip4:1.2.3.4\010" about pyspf HOT 12 CLOSED

Thanks, this looks like a pretty clear bug. Is the \010 literal? Or is it an octal escape? The first step is a test case in the portable test suite. This will be a doozy!

from pyspf.

It looks from the traceback like it is a \x0a - i.e. newline. Were it two segments to the TXT record? Or only one?

from pyspf.

This fails to get the same error - it just gets a permerror like it should.

  badip4:
    description: >-
      Mechanisms are separated by spaces only, not any control char.
    spec: 4.6.1/2
    helo: foobar
    host: 192.0.2.5
    mailfrom: "[email protected]"
    result: permerror
zonedata:
    badip.example.com:
    - SPF:  "v=spf1 ip4:192.0.2.5\x0a include:spf.protection.outlook.com ~all"

from pyspf.

So, what version of pyspf are you using? It works fine with that test.

from pyspf.

Running from CLI:

$ python spf.py -v "v=spf1 ip4:192.0.2.5\n include:spf.protection.outlook.com ~all" 192.0.2.5 [email protected] foobar
result: ('permerror', 550, 'SPF Permanent Error: Invalid IP4 address: ip4:192.0.2.5\\n') None

This is the correct behavior. I am closing this until the issue can be reproduced.

from pyspf.

Checked that 2.0.12 also works correctly.

from pyspf.

I can now reproduce on 2.0.12 with python3:

$ python3 spf.py -v "v=spf1 ip4:192.0.2.1 ip4:192.0.2.3 ip4:192.0.2.5
 include:spf.protection.outlook.com ~all" 192.0.2.5 [email protected] foobar
Traceback (most recent call last):
  File "spf.py", line 1954, in <module>
    r = q.check(argv[0])
  File "spf.py", line 574, in check
    rc = self.check1(spf, self.d, 0)
  File "spf.py", line 613, in check1
    return self.check0(spf, recursion)
  File "spf.py", line 933, in check0
    if self.cidrmatch([arg], cidrlength): break
  File "spf.py", line 1376, in cidrmatch
    for netwrk in [ipaddress.ip_network(ip) for ip in ipaddrs]:
  File "spf.py", line 1376, in <listcomp>
    for netwrk in [ipaddress.ip_network(ip) for ip in ipaddrs]:
  File "/usr/lib64/python3.7/ipaddress.py", line 84, in ip_network
    address)
ValueError: '192.0.2.5\n' does not appear to be an IPv4 or IPv6 network

Python2 and 2.0.13 are ok. I'll make sure the test case reproduces on 2.0.12, but otherwise this is fixed in new version.

from pyspf.

I confirmed that the test case added reproduces the issue for 2.0.12. @apircalabu Thanks for the test case! It it is good one. Maybe it will trip up some other implementations.

from pyspf.

@sdgathman I was using 2.0.12, now upgraded to 2.0.13. However, I can't replicate the crash from cli on 2.0.12, the backslash always gets excaped :(
$ python3 spf.py 'v=spf1 ip4:192.0.2.1 ip4:192.0.2.3 ip4:192.0.2.5\010 include:spf.protection.outlook.com ~all' 192.0.2.5 [email protected] foobar
result: ('permerror', 550, 'SPF Permanent Error: Invalid IP4 address: ip4:192.0.2.5\010') None
$ python3 -V
Python 3.4.3

from pyspf.

I couldn't remember the bash syntax for inserting an actual newline via backslash - so I just pressed enter within the quotes to insert the newline for cli. The test case uses yaml syntax, which is like python.

from pyspf.

Ah of course :) Can now confirm the issue for 2.0.12 and the fix in 2.0.13. Any chance to have the fix pulled via pip?

from pyspf.

I uploaded a 2.0.13 release to pypi - I don't use pip, so don't know if it works.

from pyspf.