gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) #105127
Conversation
… tuple to indicate the parsing error (old API)
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
|
I had to create a new PR to replace the last one because Git got all messed up. This is the old PR: #102990 |
tdwyer
changed the title
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
|
Hum... it looks like CVE-2019-16056 was only fixed for getaddresses() parseaddr() |
|
Should I add that NEWS entry that the Bot is asking for? |
I think it is needed, NEWS entry is required for most code modifications 😄. Please see: https://devguide.python.org/core-developers/committing/#updating-news-and-what-s-new-in-python |
|
I added NEWS entry, and all Unit tests have passed. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as spam.
This comment was marked as spam.
|
Docs updated, auto-merge set. The backports beyond 3.12 will require manual work to get version numbered things right. I'd like to let this bake in 3.12beta4 & 3.12rc1 for a while first to see if any practical issues arise before landing the backports in older releases. it is a security issue so we could backport it all the way to 3.8, but lets see how things go first. it is not high severity. |
|
Sorry, @tdwyer and @gpshead, I could not cleanly backport this to |
… tuple to indicate the parsing error (old API) (pythonGH-105127) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). This fixes or at least ameliorates CVE-2023-27043. --------- (cherry picked from commit 18dfbd0) Co-authored-by: Thomas Dwyer <github@tomd.tel> Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
Sorry @tdwyer and @gpshead, I had trouble checking out the |
|
GH-106612 is a backport of this pull request to the 3.12 branch. |
…y tuple to indicate the parsing error (old API) (GH-105127) (#106612) gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) (GH-105127) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). This fixes or at least ameliorates CVE-2023-27043. --------- (cherry picked from commit 18dfbd0) Co-authored-by: Thomas Dwyer <github@tomd.tel> Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
Hello @gpshead Are you going to take care of the backports/cherrypick for 3.10 and 3.11 I'd do them but I've never done that before... Hum, actually I don't think I have permission to do that. |
|
i'll do them, the issue remains assigned to me as a reminder. (anyone can do it, it's just a matter of creating your PR as a fork of the relevant release branch and selecting the matching base branch in the github ui at pr creation time) |
Please see https://devguide.python.org/core-developers/committing/#backporting-changes-to-an-older-version for details. |
|
this appears to have caused #106669 |
| @@ -87,7 +92,7 @@ of the new API. | |||
| This method returns a list of 2-tuples of the form returned by ``parseaddr()``. | |||
| *fieldvalues* is a sequence of header field values as might be returned by | |||
| :meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple | |||
| example that gets all the recipients of a message:: | |||
There was a problem hiding this comment.
@tdwyer Is this right? Isn’t the next paragraph still a literal block? Why have you removed this colon?
…g errors and return empty tuple to indicate the parsing error (old API) (python#105127)" This reverts commit 18dfbd0. See python#106669.
… parsing errors ... (pythonGH-105127)" (pythonGH-106733) This reverts commit 18dfbd0. Adds a regression test from the issue. See python#106669.. (cherry picked from commit a31dea1) Co-authored-by: Gregory P. Smith <greg@krypto.org>
This PR is designed to detect parsing errors and return an empty tuple to indicate the parsing error. Additionally, this PR updates the
test_email.pyto check for these bugs, as well as, adds some other wacky Address Headers that are in the examples of RFC 2822 and makes sure they are being parsed correctly.I realize that this PR dose not actually track down the bug and fix it. It simply detects the error has happened and returns a parsing error. However,
Lib/email/utils.pyis a much simpler file thanLib/email/_parseaddr.py, so it is much easier to review this change. Additionally, there are actually multiple bugs which are causing erroneous output. Tracing the code flow for each and fixing them would be prone to error considering all of the wacky stuff that RFC 2822 allows for in Address headers. Finally, this change is actually rather simple.