[CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr()

[vstinner]

Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer.

• Issue: [CVE-2023-27043] Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple #102988

---

📚 Documentation preview 📚: https://cpython-previews--111116.org.readthedocs.build/

[vstinner]

@gpshead @serhiy-storchaka @bitdancer @warsaw: Would you mind to review this security fix?

See issue gh-102988 for the context.

This PR is a copy of PR #108250 but I added strict=True parameter, so it's possible to get the old behavior. I added tests on both modes, strict=True and strict=False.

[vstinner]

This PR is a copy of PR #108250 but I added strict=True parameter

My colleague Lumir Balhar @frenzymadness ran an impact check of PR #108250 on Fedora: in short, there is no impact, the test suite of all Python packages (in Fedora) pass with the change. While there were some build errors, they were unrelated to the email issue. For details, see https://copr.fedorainfracloud.org/coprs/lbalhar/email-CVE/builds/ COPR which as more than 4300 builds.

Now with an additional strict parameter, if there is any impacted project, at least there is a way to "opt out".

[vstinner]

@tdwyer: Would you mind to review my change, to see if I preserved your work correctly? (code and tests)

[vstinner]

I think that we should backport the change to all branches accepting security fixes. Problem: the change refer to version numbers, which as .. versionchanged:: 3.13. I suppose that if the change is backported, we should compute the next version of each branch, so backport manually.

[vstinner]

@ambv @SethMichaelLarson: Would you mind to review this PR?

[ambv]

Why is this a separate PR from #108250?

[serhiy-storchaka]

TIL a new word.

[serhiy-storchaka]

Suggested change

	realname_comma_re = re.compile(r'"[^"]*,[^"]*"')
	realname_comma_re = re.compile(r'"[^",]*+,[^"]*+"')

It is faster. But I am not sure that the use of such regex is correct.

[serhiy-storchaka]

But what if that backslash was already escaped with a backslash? For example \\) or \\\\).

[vstinner]

Why is this a separate PR from #108250?

I'm not the author of the other PR. I copied the other PR and added strict parameter.

[ambv]

I'm not the author of this PR and I was able to make commits to it.

[vstinner]

I'm not the author of this PR and I was able to make commits to it.

I don't feel comfortable to make significant change of a PR without asking the author. I prefer to create a separated PR and ask for review.

[vstinner]

Is this behavior a bug or a feature? I don't know how ; is supposed to behave.

$ python
Python 3.11.6 (main, Oct  3 2023, 00:00:00) [GCC 13.2.1 20230728 (Red Hat 13.2.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from email.utils import getaddresses
>>> from pprint import pprint
>>> pprint(getaddresses('<bob@example.org>; <alice@example.org>'))
[('', ''),
 ('', 'b'),
 ('', 'o'),
 ('', 'b'),
 ('', ''),
 ('', 'e'),
 ('', 'x'),
 ('', 'a'),
 ('', 'm'),
 ('', 'p'),
 ('', 'l'),
 ('', 'e'),
 ('', '.'),
 ('', 'o'),
 ('', 'r'),
 ('', 'g'),
 ('', ''),
 ('', ''),
 ('', ''),
 ('', ''),
 ('', 'a'),
 ('', 'l'),
 ('', 'i'),
 ('', 'c'),
 ('', 'e'),
 ('', ''),
 ('', 'e'),
 ('', 'x'),
 ('', 'a'),
 ('', 'm'),
 ('', 'p'),
 ('', 'l'),
 ('', 'e'),
 ('', '.'),
 ('', 'o'),
 ('', 'r'),
 ('', 'g'),
 ('', '')]

[vstinner]

Is this behavior a bug or a feature? I don't know how ; is supposed to behave.

Oh. getaddresses() expects a sequence, not a string :-)

[vstinner]

Except of parsedate_tz() function, Lib/email/_parseaddr.py file didn't evolve much it was added in 2002 by commit 030ddf7. The file was created from Lib/rfc822.py which was added in 1992 (commit 01ca336).

The latest major change was done in... 1997 with commit be7c45e

New address parser by Ben Escoto replaces Sjoerd Mullender's parseaddr()

The latest minor change was done in 2019 to fix CVE-2019-16056: commit 8cb65d1 of issue #78336.

[vstinner]

What if the input is '"Jane Doe" jane@example.net, "John Doe" john@example.net'?

Oh, realname_comma_re replaces "Jane Doe" <jane@example.net>, "John Doe" <john@example.net> with "Jane Doe <john@example.net> which is invalid...

[vstinner]

Email addresses have multiple standards:

• 1982: https://datatracker.ietf.org/doc/html/rfc822
• 2001: https://datatracker.ietf.org/doc/html/rfc2822 (replace 822)
• 2008: https://datatracker.ietf.org/doc/html/rfc5322 (replace 2822)
• 2012: https://datatracker.ietf.org/doc/html/rfc6532

[tdwyer]

Thank you @vstinner for picking this up and helping to get this patch merged. I agree, adding a flag to disable the new strict behavior is a good idea to avoid any issues it may cause for others.

[mcepl]

I have already some testing on this backport of the patch for Python 2.7. Comments and reviews are more than welcome.

CVE-2023-27043-email-parsing-errors.patch

[stratakis]

I have already some testing on this backport of the patch for Python 2.7. Comments and reviews are more than welcome.

CVE-2023-27043-email-parsing-errors.patch

Hey @mcepl . We have already backported this to python2.7 in Fedora: fedora-python@5ae7bab

[vstinner]

Is it time to backport the change to Python 3.8-3.12? So far, nobody reported any regression in Python 3.13.

[mcepl]

• Patch for Python 3.8
• Patch for Python 3.9
• Patch for Python 3.6

Of course, I am eager for reviews and comments.

So far, the only issue I have heard about was confusion about str/unicode objects in Python 2.7 (https://bugzilla.suse.com/1222537), which I think may be your problem as well.

Also, I left some comments on that commit.

[encukou]

Is it time to backport the change to Python 3.8-3.12

According to this comment, not yet: #102988 (comment)