Skip to content

Commit

Permalink
Revert "Fix for CVE-2023-27043"
Browse files Browse the repository at this point in the history 
This reverts commit 61b1299.
  • Loading branch information
@rickprice
rickprice committed Sep 14, 2023
1 parent 2743bd7 commit 0642365
Show file tree
Hide file tree
Showing 6 changed files with 12 additions and 185 deletions.
26 changes: 1 addition & 25 deletions Doc/library/email.utils.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,6 @@ of the new API.
*email address* parts. Returns a tuple of that information, unless the parse
fails, in which case a 2-tuple of ``('', '')`` is returned.

.. versionchanged:: 3.7
For security reasons, addresses that were ambiguous and could parse into
multiple different addresses now cause ``('', '')`` to be returned
instead of only one of the *potential* addresses.


.. function:: formataddr(pair, charset='utf-8')

Expand All @@ -94,7 +89,7 @@ of the new API.
This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
*fieldvalues* is a sequence of header field values as might be returned by
:meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple
example that gets all the recipients of a message:
example that gets all the recipients of a message::

from email.utils import getaddresses

Expand All @@ -104,25 +99,6 @@ of the new API.
resent_ccs = msg.get_all('resent-cc', [])
all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)

When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
is returned in its place. Other errors in parsing the list of
addresses such as a fieldvalue seemingly parsing into multiple
addresses may result in a list containing a single empty 2-tuple
``[('', '')]`` being returned rather than returning potentially
invalid output.

Example malformed input parsing:

.. doctest::

>>> from email.utils import getaddresses
>>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
[('', '')]

.. versionchanged:: 3.7
The 2-tuple of ``('', '')`` in the returned values when parsing
fails were added as to address a security issue.


.. function:: parsedate(date)

Expand Down
9 changes: 0 additions & 9 deletions Doc/whatsnew/3.7.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -900,15 +900,6 @@ therefore included in source distributions.
(Contributed by Ryan Gonzalez in :issue:`11913`.)


email
-----

* :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return
``('', '')`` 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values.
(Contributed by Thomas Dwyer for :gh:`102988` to ameliorate CVE-2023-27043.)


enum
----

Expand Down
65 changes: 7 additions & 58 deletions Lib/email/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ def formataddr(pair, charset='utf-8'):
If the first element of pair is false, then the second element is
returned unmodified.
The optional charset is the character set that is used to encode
Optional charset if given is the character set that is used to encode
realname in case realname is not ASCII safe. Can be an instance of str or
a Charset-like object which has a header_encode method. Default is
'utf-8'.
Expand All @@ -106,54 +106,12 @@ def formataddr(pair, charset='utf-8'):
return address


def _pre_parse_validation(email_header_fields):
accepted_values = []
for v in email_header_fields:
s = v.replace('\\(', '').replace('\\)', '')
if s.count('(') != s.count(')'):
v = "('', '')"
accepted_values.append(v)

return accepted_values


def _post_parse_validation(parsed_email_header_tuples):
accepted_values = []
# The parser would have parsed a correctly formatted domain-literal
# The existence of an [ after parsing indicates a parsing failure
for v in parsed_email_header_tuples:
if '[' in v[1]:
v = ('', '')
accepted_values.append(v)

return accepted_values


def getaddresses(fieldvalues):
"""Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
its place.
If the resulting list of parsed address is not the same as the number of
fieldvalues in the input list a parsing error has occurred. A list
containing a single empty 2-tuple [('', '')] is returned in its place.
This is done to avoid invalid output.
"""
fieldvalues = [str(v) for v in fieldvalues]
fieldvalues = _pre_parse_validation(fieldvalues)
all = COMMASPACE.join(v for v in fieldvalues)
"""Return a list of (REALNAME, EMAIL) for each fieldvalue."""
all = COMMASPACE.join(fieldvalues)
a = _AddressList(all)
result = _post_parse_validation(a.addresslist)

n = 0
for v in fieldvalues:
n += v.count(',') + 1

if len(result) != n:
return [('', '')]

return result
return a.addresslist


def _format_timetuple_and_zone(timetuple, zone):
Expand Down Expand Up @@ -251,18 +209,9 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', '').
"""
if isinstance(addr, list):
addr = addr[0]

if not isinstance(addr, str):
return ('', '')

addr = _pre_parse_validation([addr])[0]
addrs = _post_parse_validation(_AddressList(addr).addresslist)

if not addrs or len(addrs) > 1:
return ('', '')

addrs = _AddressList(addr).addresslist
if not addrs:
return '', ''
return addrs[0]


Expand Down
81 changes: 3 additions & 78 deletions Lib/test/test_email/test_email.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3213,90 +3213,15 @@ def test_getaddresses(self):
[('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')])

def test_getaddresses_parsing_errors(self):
"""Test for parsing errors from CVE-2023-27043"""
eq = self.assertEqual
eq(utils.getaddresses(['alice@example.org(<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org)<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org<<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org><bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org@<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org,<bob@example.com>']),
[('', 'alice@example.org'), ('', 'bob@example.com')])
eq(utils.getaddresses(['alice@example.org;<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org:<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org.<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org"<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org[<bob@example.com>']),
[('', '')])
eq(utils.getaddresses(['alice@example.org]<bob@example.com>']),
[('', '')])

def test_parseaddr_parsing_errors(self):
"""Test for parsing errors from CVE-2023-27043"""
eq = self.assertEqual
eq(utils.parseaddr(['alice@example.org(<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org)<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org<<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org><bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org@<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org,<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org;<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org:<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org.<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org"<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org[<bob@example.com>']),
('', ''))
eq(utils.parseaddr(['alice@example.org]<bob@example.com>']),
('', ''))

def test_getaddresses_nasty(self):
eq = self.assertEqual
eq(utils.getaddresses(['foo: ;']), [('', '')])
eq(utils.getaddresses(['[]*-- =~$']), [('', '')])
eq(utils.getaddresses(
['[]*-- =~$']),
[('', ''), ('', ''), ('', '*--')])
eq(utils.getaddresses(
['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
[('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
eq(utils.getaddresses(
[r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>']),
[('Pete (A nice ) chap his account his host)', 'pete@silly.test')])
eq(utils.getaddresses(
['(Empty list)(start)Undisclosed recipients :(nobody(I know))']),
[('', '')])
eq(utils.getaddresses(
['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']),
[('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')])
eq(utils.getaddresses(
['John Doe <jdoe@machine(comment). example>']),
[('John Doe (comment)', 'jdoe@machine.example')])
eq(utils.getaddresses(
['"Mary Smith: Personal Account" <smith@home.example>']),
[('Mary Smith: Personal Account', 'smith@home.example')])
eq(utils.getaddresses(
['Undisclosed recipients:;']),
[('', '')])
eq(utils.getaddresses(
[r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>']),
[('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')])

def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment"""
Expand Down
12 changes: 1 addition & 11 deletions Misc/NEWS.d/3.7.17.rst
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,3 @@
.. date: 2023-09-11-20-07-52
.. gh-issue:102988
.. nonce: GLWDMX
.. release date: 2023-09-11
.. section: Security
email.utils.getaddresses and email.utils.parseaddr now return
``('', '')`` 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values.
(Contributed by Thomas Dwyer for :gh:`102988` to ameliorate CVE-2023-27043.)

.. date: 2023-08-22-17-39-12
.. gh-issue: 108310
.. nonce: fVM3sg
Expand All @@ -24,6 +13,7 @@ post-handshake TLS encrypted data. Security issue reported as
Oksman. Patch by Gregory P. Smith.

..
.. date: 2023-06-05-04-07-52
.. gh-issue: 103142
.. nonce: GLWDMX
Expand Down
4 changes: 0 additions & 4 deletions Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
View file

This file was deleted.

0 comments on commit 0642365

Please sign in to comment.