Merged PR 58740: [internal/release/9.0] Reject mail addresses containing CR or LF in MailAddressParser

liveans · jozkee · commit df1ae78bed2a · 2026-03-12T16:15:48.000Z
Adds early validation in MailAddressParser.TryParseAddress to reject email addresses containing CR or LF characters, preventing SMTP header injection via crafted mail address strings.
This fix has already been merged in .NET Framework and needs to ship together with it.

----
#### AI description  (iteration 1)
#### PR Classification
This pull request is a bug fix that strengthens input validation for email addresses by rejecting any address containing CR or LF characters.

#### PR Summary
The changes add a validation check in the mail address parser to throw a FormatException (or return false) when CR or LF characters are detected, and update tests accordingly to enforce the new behavior.
- `src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs`: Introduced a new check using MailBnfHelper.HasCROrLF to detect and reject mail addresses with CR or LF.
- `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs`: Added tests that verify the parser throws an exception or returns false based on the throwExceptionIfFail flag.
- `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs`: Updated test cases to remove or adjust mail addresses containing CR or LF characters.
&lt;!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot --&gt;
diff --git a/src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs b/src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs
@@ -69,6 +69,20 @@ private static bool TryParseAddress(string data, bool expectMultipleAddresses, r
             Debug.Assert(!string.IsNullOrEmpty(data));
             Debug.Assert(index >= 0 && index < data.Length, $"Index out of range: {index}, {data.Length}");
 
+            // Check for CR or LF characters which are not allowed in mail addresses.
+            // Only scan on the first call (index == data.Length - 1) to avoid repeated O(n) scans
+            // when parsing multiple addresses from the same string.
+            if (index == data.Length - 1 && MailBnfHelper.HasCROrLF(data))
+            {
+                if (throwExceptionIfFail)
+                {
+                    throw new FormatException(SR.MailAddressInvalidFormat);
+                }
+
+                parseAddressInfo = default;
+                return false;
+            }
+
             // Parsed components to be assembled as a MailAddress later
             string? displayName;
 
diff --git a/src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs b/src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs
@@ -580,37 +580,17 @@ public void TestGssapiAuthentication()
 
         [Theory]
         [MemberData(nameof(SendMail_MultiLineDomainLiterals_Data))]
-        public async Task SendMail_MultiLineDomainLiterals_Disabled_Throws(string from, string to, bool asyncSend)
+        public void SendMail_MultiLineDomainLiterals_Disabled_Throws(string from, string to)
         {
-            using var server = new LoopbackSmtpServer();
-
-            using SmtpClient client = server.CreateClient();
-            client.Credentials = new NetworkCredential("Foo", "Bar");
-
-            using var msg = new MailMessage(@from, @to, "subject", "body");
-
-            await Assert.ThrowsAsync<SmtpException>(async () =>
-            {
-                if (asyncSend)
-                {
-                    await client.SendMailAsync(msg).WaitAsync(TimeSpan.FromSeconds(30));
-                }
-                else
-                {
-                    client.Send(msg);
-                }
-            });
+            Assert.Throws<FormatException>(() => new MailMessage(@from, @to, "subject", "body"));
         }
 
         public static IEnumerable<object[]> SendMail_MultiLineDomainLiterals_Data()
         {
-            foreach (bool async in new[] { true, false })
+            foreach (string address in new[] { "foo@[\r\n bar]", "foo@[bar\r\n ]", "foo@[bar\r\n baz]" })
             {
-                foreach (string address in new[] { "foo@[\r\n bar]", "foo@[bar\r\n ]", "foo@[bar\r\n baz]" })
-                {
-                    yield return new object[] { address, "foo@example.com", async };
-                    yield return new object[] { "foo@example.com", address, async };
-                }
+                yield return new object[] { address, "foo@example.com" };
+                yield return new object[] { "foo@example.com", address };
             }
         }
     }
diff --git a/src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs b/src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs
@@ -559,5 +559,39 @@ public void ParseAddresses_WithManyComplexAddresses_ShouldReadCorrectly()
             Assert.Equal("\" asciin;,oqu o.tesws \"", result[6].User);
             Assert.Equal("this.test.this", result[6].Host);
         }
+
+        [Theory]
+        [InlineData("test\r@example.com")]
+        [InlineData("test\n@example.com")]
+        [InlineData("test\r\n@example.com")]
+        [InlineData("Display\r\nName <test@example.com>")]
+        [InlineData("test@example\r.com")]
+        [InlineData("test@example\n.com")]
+        [InlineData("test@example.com\r\n")]
+        public void TryParseAddress_WithCROrLF_ShouldThrow(string address)
+        {
+            Assert.Throws<FormatException>(() => MailAddressParser.TryParseAddress(address, out _, throwExceptionIfFail: true));
+        }
+
+        [Theory]
+        [InlineData("test\r@example.com")]
+        [InlineData("test\n@example.com")]
+        [InlineData("test\r\n@example.com")]
+        [InlineData("Display\r\nName <test@example.com>")]
+        [InlineData("test@example\r.com")]
+        [InlineData("test@example\n.com")]
+        [InlineData("test@example.com\r\n")]
+        public void TryParseAddress_WithCROrLF_ShouldReturnFalse(string address)
+        {
+            Assert.False(MailAddressParser.TryParseAddress(address, out _, throwExceptionIfFail: false));
+        }
+
+        [Fact]
+        public void ParseMultipleAddresses_WithCROrLF_ShouldThrow()
+        {
+            Assert.Throws<FormatException>(() => MailAddressParser.ParseMultipleAddresses("a@b.com, test\r\n@example.com"));
+            Assert.Throws<FormatException>(() => MailAddressParser.ParseMultipleAddresses("test\n@example.com, a@b.com"));
+            Assert.Throws<FormatException>(() => MailAddressParser.ParseMultipleAddresses("a@b.com, c@d.com, e\r@f.com"));
+        }
     }
 }
diff --git a/src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs b/src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs
@@ -36,8 +36,7 @@ public static IEnumerable<object[]> GetValidEmailTestData()
             yield return new object[] { "testuser@[mail.com]" };
             yield return new object[] { "testuser@[ mail.com] " };
             yield return new object[] { "testuser@[mail.com ]" };
-            yield return new object[] { "testuser@[mail.com \r\n ]" };
-            yield return new object[] { "testuser@[ \r\n mail.com]" };
+            yield return new object[] { "testuser@[mail.com  ]" };
             yield return new object[] { "testuser@[  mail.com]" };
             yield return new object[] { "testuser <testuser@mail.com>" };
             yield return new object[] { "Test\u3044\u3069 User <testUser1@NCLMailTest.com>" };
@@ -90,8 +89,8 @@ public static IEnumerable<object[]> GetValidEmailTestData()
             yield return new object[] { "\"disp \f lay\" <\"testsome\"@NCLMailTest.com>" };
             yield return new object[] { "\"EscapedUnicode \\\u3044\\\u3069 display\" <testUser1@NCLMailTest.com>" };
             yield return new object[] { "(Unicode \u3044 Comment) <\"testsome\"@NCLMailTest.com>" };
-            yield return new object[] { "\"display \r\n name\" <\"folding\"@domain.com>" };
-            yield return new object[] { "\"test\r\n test\"@mail.com" };
+            yield return new object[] { "\"display  name\" <\"folding\"@domain.com>" };
+            yield return new object[] { "\"test test\"@mail.com" };
             // Email Address Internationalization (EAI)
             yield return new object[] { "UnicodeUserName \"Test\u3044\u3069\"@NCLMailTest.com" };
             yield return new object[] { "<\"EscapedUnicode \\\u3044\\\u3069 User\"@NCLMailTest.com>" };
@@ -127,6 +126,10 @@ public static IEnumerable<object[]> GetInvalidEmailTestData()
             yield return new object[] { "Bob \"display\" <user@host>" };
             yield return new object[] { "testuser@[mail.com \r ]" };
             yield return new object[] { "testuser@[mail.com \n ]" };
+            yield return new object[] { "testuser@[mail.com \r\n ]" };
+            yield return new object[] { "testuser@[ \r\n mail.com]" };
+            yield return new object[] { "\"display \r\n name\" <\"folding\"@domain.com>" };
+            yield return new object[] { "\"test\r\n test\"@mail.com" };
             yield return new object[] { "testuser@[mail\u3069.com]" }; // No unicode allowed in square brackets
             yield return new object[] { "invalid@unicode\uD800.com" }; // D800 is a high surrogate
             yield return new object[] { "invalid@unicode\uD800.com" }; // D800 is a high surrogate
