gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API)#105127
Uh oh!
There was an error while loading. Please reload this page.
Conversation
… tuple to indicate the parsing error (old API)
bedevere-bot commented May 31, 2023
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
tdwyer commented May 31, 2023
I had to create a new PR to replace the last one because Git got all messed up. This is the old PR: #102990 |
tdwyer changed the title 
bedevere-bot commented May 31, 2023
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
This comment was marked as duplicate.
This comment was marked as duplicate.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
This comment was marked as duplicate.
This comment was marked as duplicate.
tdwyer commented Jun 7, 2023
Hum... it looks like CVE-2019-16056 was only fixed for getaddresses() parseaddr() |
tdwyer commented Jun 7, 2023
Should I add that NEWS entry that the Bot is asking for? |
CharlieZhao95 commented Jun 7, 2023
I think it is needed, NEWS entry is required for most code modifications 😄. Please see: https://devguide.python.org/core-developers/committing/#updating-news-and-what-s-new-in-python |
tdwyer commented Jun 14, 2023
I added NEWS entry, and all Unit tests have passed. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as spam.
This comment was marked as spam.
gpshead commented Jul 10, 2023
Docs updated, auto-merge set. The backports beyond 3.12 will require manual work to get version numbered things right. I'd like to let this bake in 3.12beta4 & 3.12rc1 for a while first to see if any practical issues arise before landing the backports in older releases. it is a security issue so we could backport it all the way to 3.8, but lets see how things go first. it is not high severity. |
miss-islington commented Jul 10, 2023
miss-islington commented Jul 10, 2023
Sorry, @tdwyer and @gpshead, I could not cleanly backport this to |
… tuple to indicate the parsing error (old API) (pythonGH-105127) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). This fixes or at least ameliorates CVE-2023-27043. --------- (cherry picked from commit 18dfbd0) Co-authored-by: Thomas Dwyer <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington commented Jul 10, 2023
Sorry @tdwyer and @gpshead, I had trouble checking out the |
bedevere-bot commented Jul 10, 2023
GH-106612 is a backport of this pull request to the 3.12 branch. |
…y tuple to indicate the parsing error (old API) (GH-105127) (#106612) gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) (GH-105127) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). This fixes or at least ameliorates CVE-2023-27043. --------- (cherry picked from commit 18dfbd0) Co-authored-by: Thomas Dwyer <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]>
Hello @gpshead Are you going to take care of the backports/cherrypick for 3.10 and 3.11 I'd do them but I've never done that before... Hum, actually I don't think I have permission to do that. |
gpshead commented Jul 12, 2023
i'll do them, the issue remains assigned to me as a reminder. (anyone can do it, it's just a matter of creating your PR as a fork of the relevant release branch and selecting the matching base branch in the github ui at pr creation time) |
CharlieZhao95 commented Jul 12, 2023
Please see https://devguide.python.org/core-developers/committing/#backporting-changes-to-an-older-version for details. |
gpshead commented Jul 12, 2023
this appears to have caused #106669 |
| This method returns a list of 2-tuples of the form returned by ``parseaddr()``. | ||
| *fieldvalues* is a sequence of header field values as might be returned by | ||
| :meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple | ||
| example that gets all the recipients of a message:: |
There was a problem hiding this comment.
@tdwyer Is this right? Isn’t the next paragraph still a literal block? Why have you removed this colon?
…g errors and return empty tuple to indicate the parsing error (old API) (python#105127)" This reverts commit 18dfbd0. See python#106669.
… parsing errors ... (pythonGH-105127)" (pythonGH-106733) This reverts commit 18dfbd0. Adds a regression test from the issue. See python#106669.. (cherry picked from commit a31dea1) Co-authored-by: Gregory P. Smith <[email protected]>
serhiy-storchaka commented Aug 14, 2025
encukou commented Aug 15, 2025
encukou removed needs backport to 3.10 10 participants
This PR is designed to detect parsing errors and return an empty tuple to indicate the parsing error. Additionally, this PR updates the
test_email.pyto check for these bugs, as well as, adds some other wacky Address Headers that are in the examples of RFC 2822 and makes sure they are being parsed correctly.I realize that this PR dose not actually track down the bug and fix it. It simply detects the error has happened and returns a parsing error. However,
Lib/email/utils.pyis a much simpler file thanLib/email/_parseaddr.py, so it is much easier to review this change. Additionally, there are actually multiple bugs which are causing erroneous output. Tracing the code flow for each and fixing them would be prone to error considering all of the wacky stuff that RFC 2822 allows for in Address headers. Finally, this change is actually rather simple.