Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32.4k
gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API)#105127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
… tuple to indicate the parsing error (old API)
bedevere-bot commentedMay 31, 2023
Most changes to Pythonrequire a NEWS entry. Please add it using theblurb_it web app or theblurb command-line tool. |
I had to create a new PR to replace the last one because Git got all messed up. This is the old PR:#102990 |
bedevere-bot commentedMay 31, 2023
Most changes to Pythonrequire a NEWS entry. Please add it using theblurb_it web app or theblurb command-line tool. |
This comment was marked as duplicate.
This comment was marked as duplicate.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
This comment was marked as duplicate.
This comment was marked as duplicate.
Hum... it looks likeCVE-2019-16056 was only fixed for getaddresses() parseaddr() |
Should I add that NEWS entry that the Bot is asking for? |
I think it is needed, NEWS entry is required for most code modifications 😄. Please see:https://devguide.python.org/core-developers/committing/#updating-news-and-what-s-new-in-python |
I added NEWS entry, and all Unit tests have passed. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as spam.
This comment was marked as spam.
Docs updated, auto-merge set. The backports beyond 3.12 will require manual work to get version numbered things right. I'd like to let this bake in 3.12beta4 & 3.12rc1 for a while first to see if any practical issues arise before landing the backports in older releases. it is a security issue so we could backport it all the way to 3.8, but lets see how things go first. it is not high severity. |
Sorry,@tdwyer and@gpshead, I could not cleanly backport this to |
… tuple to indicate the parsing error (old API) (pythonGH-105127)Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). This fixes or at least amelioratesCVE-2023-27043.---------(cherry picked from commit18dfbd0)Co-authored-by: Thomas Dwyer <github@tomd.tel>Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sorry@tdwyer and@gpshead, I had trouble checking out the |
bedevere-bot commentedJul 10, 2023
GH-106612 is a backport of this pull request to the3.12 branch. |
…y tuple to indicate the parsing error (old API) (GH-105127) (#106612)gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) (GH-105127)Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). This fixes or at least amelioratesCVE-2023-27043.---------(cherry picked from commit18dfbd0)Co-authored-by: Thomas Dwyer <github@tomd.tel>Co-authored-by: Gregory P. Smith <greg@krypto.org>
tdwyer-wish commentedJul 12, 2023 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Hello@gpshead Are you going to take care of the backports/cherrypick for 3.10 and 3.11 I'd do them but I've never done that before... Hum, actually I don't think I have permission to do that. |
i'll do them, the issue remains assigned to me as a reminder. (anyonecan do it, it's just a matter of creating your PR as a fork of the relevant release branch and selecting the matching base branch in the github ui at pr creation time) |
Please seehttps://devguide.python.org/core-developers/committing/#backporting-changes-to-an-older-version for details. |
this appears to have caused#106669 |
| @@ -87,7 +92,7 @@ of the new API. | |||
| This method returns a list of 2-tuples of the form returned by ``parseaddr()``. | |||
| *fieldvalues* is a sequence of header field values as might be returned by | |||
| :meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple | |||
| example that gets all the recipients of a message:: | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@tdwyer Is this right? Isn’t the next paragraph still a literal block? Why have you removed this colon?
…g errors and return empty tuple to indicate the parsing error (old API) (python#105127)"This reverts commit18dfbd0.Seepython#106669.
… parsing errors ... (pythonGH-105127)" (pythonGH-106733)This reverts commit18dfbd0.Adds a regression test from the issue.Seepython#106669..(cherry picked from commita31dea1)Co-authored-by: Gregory P. Smith <greg@krypto.org>
Uh oh!
There was an error while loading.Please reload this page.
This PR is designed to detect parsing errors and return an empty tuple to indicate the parsing error. Additionally, this PR updates the
test_email.pyto check for these bugs, as well as, adds some other wacky Address Headers that are in the examples of RFC 2822 and makes sure they are being parsed correctly.I realize that this PR dose not actually track down the bug and fix it. It simply detects the error has happened and returns a parsing error. However,
Lib/email/utils.pyis a much simpler file thanLib/email/_parseaddr.py, so it is much easier to review this change. Additionally, there are actually multiple bugs which are causing erroneous output. Tracing the code flow for each and fixing them would be prone to error considering all of the wacky stuff that RFC 2822 allows for in Address headers. Finally, this change is actually rather simple.