[3.12] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) by encukou · Pull Request #123766 · python/cpython (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation0 Commits1 Checks28 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

encukou

Member

@encukou encukou commented

Sep 6, 2024

edited by github-actionsbot

Loading

…n email.parseaddr() (pythonGH-111116)

Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer.

Co-Authored-By: Thomas Dwyer github@tomd.tel (cherry picked from commit 4a153a1)

miketheman added a commit to miketheman/warehouse that referenced this pull request

Sep 12, 2024

@miketheman

Now that Python validates the addresses more strictly, we won't hit the condition any longer.

If we wish to preserve this condition, we could also pass strict=False to getaddresses(), but that seems to be counter to our desire of having a valid email address.

Refs: python/cpython#123766

Signed-off-by: Mike Fiedler miketheman@gmail.com

ewdurbin pushed a commit to pypi/warehouse that referenced this pull request

Sep 13, 2024

@miketheman

Refs: https://www.python.org/downloads/release/python-3126/

Signed-off-by: Mike Fiedler miketheman@gmail.com

Now that Python validates the addresses more strictly, we won't hit the condition any longer.

If we wish to preserve this condition, we could also pass strict=False to getaddresses(), but that seems to be counter to our desire of having a valid email address.

Refs: python/cpython#123766

Signed-off-by: Mike Fiedler miketheman@gmail.com

Extract test cases from inline to make it clearer which permutations are being tested.

Signed-off-by: Mike Fiedler miketheman@gmail.com

Signed-off-by: Mike Fiedler miketheman@gmail.com