[CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() #111116
Conversation
|
@gpshead @serhiy-storchaka @bitdancer @warsaw: Would you mind to review this security fix? See issue gh-102988 for the context. This PR is a copy of PR #108250 but I added strict=True parameter, so it's possible to get the old behavior. I added tests on both modes, strict=True and strict=False. |
My colleague Lumir Balhar @frenzymadness ran an impact check of PR #108250 on Fedora: in short, there is no impact, the test suite of all Python packages (in Fedora) pass with the change. While there were some build errors, they were unrelated to the email issue. For details, see https://copr.fedorainfracloud.org/coprs/lbalhar/email-CVE/builds/ COPR which as more than 4300 builds. Now with an additional strict parameter, if there is any impacted project, at least there is a way to "opt out". |
|
@tdwyer: Would you mind to review my change, to see if I preserved your work correctly? (code and tests) |
vstinner
added
type-security
|
I think that we should backport the change to all branches accepting security fixes. Problem: the change refer to version numbers, which as |
|
@ambv @SethMichaelLarson: Would you mind to review this PR? |
ambv
changed the title
|
Why is this a separate PR from #108250? |
Doc/whatsnew/3.13.rst
Outdated
| @@ -165,7 +165,7 @@ email | |||
| encountered instead of potentially inaccurate values. Add optional *strict* | |||
| parameter to these two functions: use ``strict=False`` to get the old | |||
| behavior, accept malformed inputs. | |||
| (Contributed by Thomas Dwyer for :gh:`102988` to ameliorate CVE-2023-27043 | |||
| (Contributed by Thomas Dwyer for :gh:`102988` to improve the CVE-2023-27043 | |||
Lib/email/utils.py
Outdated
| @@ -42,6 +42,8 @@ | |||
|
|
|||
| specialsre = re.compile(r'[][\\()<>@,:;".]') | |||
| escapesre = re.compile(r'[\\"]') | |||
| realname_comma_re = re.compile(r'"[^"]*,[^"]*"') | |||
There was a problem hiding this comment.
| realname_comma_re = re.compile(r'"[^"]*,[^"]*"') | |
| realname_comma_re = re.compile(r'"[^",]*+,[^"]*+"') |
It is faster. But I am not sure that the use of such regex is correct.
Lib/email/utils.py
Outdated
| def _pre_parse_validation(email_header_fields): | ||
| accepted_values = [] | ||
| for v in email_header_fields: | ||
| s = v.replace('\\(', '').replace('\\)', '') |
There was a problem hiding this comment.
But what if that backslash was already escaped with a backslash? For example \\) or \\\\).
I'm not the author of the other PR. I copied the other PR and added strict parameter. |
|
I'm not the author of this PR and I was able to make commits to it. |
I don't feel comfortable to make significant change of a PR without asking the author. I prefer to create a separated PR and ask for review. |
|
Is this behavior a bug or a feature? I don't know how |
Oh. getaddresses() expects a sequence, not a string :-) |
|
Except of The latest major change was done in... 1997 with commit be7c45e
The latest minor change was done in 2019 to fix CVE-2019-16056: commit 8cb65d1 of issue #78336. |
Oh, realname_comma_re replaces |
|
Email addresses have multiple standards:
|
|
Thanks @vstinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.9. |
|
Thanks @vstinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8. |
|
Sorry, @vstinner, I could not cleanly backport this to |
|
Sorry, @vstinner, I could not cleanly backport this to |
|
Sorry, @vstinner, I could not cleanly backport this to |
|
Sorry, @vstinner, I could not cleanly backport this to |
|
Sorry, @vstinner, I could not cleanly backport this to |
…n email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. Co-Authored-By: Thomas Dwyer <[email protected]> (cherry picked from commit 4a153a1)
…n email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
…n email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. Co-Authored-By: Thomas Dwyer <[email protected]> (cherry picked from commit 4a153a1)
|
GH-123766 is a backport of this pull request to the 3.12 branch. |
…n email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
|
GH-123767 is a backport of this pull request to the 3.11 branch. |
…n email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
|
GH-123768 is a backport of this pull request to the 3.10 branch. |
…l.parseaddr() (GH-111116) (#123766) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. Co-Authored-By: Thomas Dwyer <[email protected]> (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]>
…l.parseaddr() (GH-111116) (#123767) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-authored-by: Thomas Dwyer <[email protected]>
… email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
|
GH-123769 is a backport of this pull request to the 3.9 branch. |
… email.parseaddr() (pythonGH-111116) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
|
GH-123770 is a backport of this pull request to the 3.8 branch. |
….parseaddr() (GH-111116) (#123769) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
….parseaddr() (GH-111116) (#123770) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
…l.parseaddr() (GH-111116) (#123768) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1) Co-authored-by: Victor Stinner <[email protected]> Co-Authored-By: Thomas Dwyer <[email protected]>
Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer.
📚 Documentation preview 📚: https://cpython-previews--111116.org.readthedocs.build/