From 0642365055592e95fdbb93ba7ae0a29a9a0ba8a0 Mon Sep 17 00:00:00 2001 From: Frederick Price Date: Thu, 14 Sep 2023 18:08:04 -0400 Subject: [PATCH] Revert "Fix for CVE-2023-27043" This reverts commit 61b1299029858c6c2c6f772327f9daee17f7102d. --- Doc/library/email.utils.rst | 26 +----- Doc/whatsnew/3.7.rst | 9 --- Lib/email/utils.py | 65 ++------------- Lib/test/test_email/test_email.py | 81 +------------------ Misc/NEWS.d/3.7.17.rst | 12 +-- ...-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 - 6 files changed, 12 insertions(+), 185 deletions(-) delete mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst index 06b816d4c14236..4d0e920eb0ad29 100644 --- a/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst @@ -67,11 +67,6 @@ of the new API. *email address* parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ``('', '')`` is returned. - .. versionchanged:: 3.7 - For security reasons, addresses that were ambiguous and could parse into - multiple different addresses now cause ``('', '')`` to be returned - instead of only one of the *potential* addresses. - .. function:: formataddr(pair, charset='utf-8') @@ -94,7 +89,7 @@ of the new API. This method returns a list of 2-tuples of the form returned by ``parseaddr()``. *fieldvalues* is a sequence of header field values as might be returned by :meth:`Message.get_all `. Here's a simple - example that gets all the recipients of a message: + example that gets all the recipients of a message:: from email.utils import getaddresses @@ -104,25 +99,6 @@ of the new API. resent_ccs = msg.get_all('resent-cc', []) all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) - When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` - is returned in its place. Other errors in parsing the list of - addresses such as a fieldvalue seemingly parsing into multiple - addresses may result in a list containing a single empty 2-tuple - ``[('', '')]`` being returned rather than returning potentially - invalid output. - - Example malformed input parsing: - - .. doctest:: - - >>> from email.utils import getaddresses - >>> getaddresses(['alice@example.com ', 'me@example.com']) - [('', '')] - - .. versionchanged:: 3.7 - The 2-tuple of ``('', '')`` in the returned values when parsing - fails were added as to address a security issue. - .. function:: parsedate(date) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 9aa6573e8391c7..76ce80c5921b8f 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -900,15 +900,6 @@ therefore included in source distributions. (Contributed by Ryan Gonzalez in :issue:`11913`.) -email ------ - -* :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return - ``('', '')`` 2-tuples in more situations where invalid email addresses are - encountered instead of potentially inaccurate values. - (Contributed by Thomas Dwyer for :gh:`102988` to ameliorate CVE-2023-27043.) - - enum ---- diff --git a/Lib/email/utils.py b/Lib/email/utils.py index 078f445cdf78ca..858f620e25bfb0 100644 --- a/Lib/email/utils.py +++ b/Lib/email/utils.py @@ -81,7 +81,7 @@ def formataddr(pair, charset='utf-8'): If the first element of pair is false, then the second element is returned unmodified. - The optional charset is the character set that is used to encode + Optional charset if given is the character set that is used to encode realname in case realname is not ASCII safe. Can be an instance of str or a Charset-like object which has a header_encode method. Default is 'utf-8'. @@ -106,54 +106,12 @@ def formataddr(pair, charset='utf-8'): return address -def _pre_parse_validation(email_header_fields): - accepted_values = [] - for v in email_header_fields: - s = v.replace('\\(', '').replace('\\)', '') - if s.count('(') != s.count(')'): - v = "('', '')" - accepted_values.append(v) - - return accepted_values - - -def _post_parse_validation(parsed_email_header_tuples): - accepted_values = [] - # The parser would have parsed a correctly formatted domain-literal - # The existence of an [ after parsing indicates a parsing failure - for v in parsed_email_header_tuples: - if '[' in v[1]: - v = ('', '') - accepted_values.append(v) - - return accepted_values - def getaddresses(fieldvalues): - """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. - - When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in - its place. - - If the resulting list of parsed address is not the same as the number of - fieldvalues in the input list a parsing error has occurred. A list - containing a single empty 2-tuple [('', '')] is returned in its place. - This is done to avoid invalid output. - """ - fieldvalues = [str(v) for v in fieldvalues] - fieldvalues = _pre_parse_validation(fieldvalues) - all = COMMASPACE.join(v for v in fieldvalues) + """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" + all = COMMASPACE.join(fieldvalues) a = _AddressList(all) - result = _post_parse_validation(a.addresslist) - - n = 0 - for v in fieldvalues: - n += v.count(',') + 1 - - if len(result) != n: - return [('', '')] - - return result + return a.addresslist def _format_timetuple_and_zone(timetuple, zone): @@ -251,18 +209,9 @@ def parseaddr(addr): Return a tuple of realname and email address, unless the parse fails, in which case return a 2-tuple of ('', ''). """ - if isinstance(addr, list): - addr = addr[0] - - if not isinstance(addr, str): - return ('', '') - - addr = _pre_parse_validation([addr])[0] - addrs = _post_parse_validation(_AddressList(addr).addresslist) - - if not addrs or len(addrs) > 1: - return ('', '') - + addrs = _AddressList(addr).addresslist + if not addrs: + return '', '' return addrs[0] diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py index 8b5c9c1e7542b1..64bcdcc47ad0b5 100644 --- a/Lib/test/test_email/test_email.py +++ b/Lib/test/test_email/test_email.py @@ -3213,90 +3213,15 @@ def test_getaddresses(self): [('Al Person', 'aperson@dom.ain'), ('Bud Person', 'bperson@dom.ain')]) - def test_getaddresses_parsing_errors(self): - """Test for parsing errors from CVE-2023-27043""" - eq = self.assertEqual - eq(utils.getaddresses(['alice@example.org(']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org)']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org<']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org>']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org@']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org,']), - [('', 'alice@example.org'), ('', 'bob@example.com')]) - eq(utils.getaddresses(['alice@example.org;']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org:']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org.']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org"']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org[']), - [('', '')]) - eq(utils.getaddresses(['alice@example.org]']), - [('', '')]) - - def test_parseaddr_parsing_errors(self): - """Test for parsing errors from CVE-2023-27043""" - eq = self.assertEqual - eq(utils.parseaddr(['alice@example.org(']), - ('', '')) - eq(utils.parseaddr(['alice@example.org)']), - ('', '')) - eq(utils.parseaddr(['alice@example.org<']), - ('', '')) - eq(utils.parseaddr(['alice@example.org>']), - ('', '')) - eq(utils.parseaddr(['alice@example.org@']), - ('', '')) - eq(utils.parseaddr(['alice@example.org,']), - ('', '')) - eq(utils.parseaddr(['alice@example.org;']), - ('', '')) - eq(utils.parseaddr(['alice@example.org:']), - ('', '')) - eq(utils.parseaddr(['alice@example.org.']), - ('', '')) - eq(utils.parseaddr(['alice@example.org"']), - ('', '')) - eq(utils.parseaddr(['alice@example.org[']), - ('', '')) - eq(utils.parseaddr(['alice@example.org]']), - ('', '')) - def test_getaddresses_nasty(self): eq = self.assertEqual eq(utils.getaddresses(['foo: ;']), [('', '')]) - eq(utils.getaddresses(['[]*-- =~$']), [('', '')]) + eq(utils.getaddresses( + ['[]*-- =~$']), + [('', ''), ('', ''), ('', '*--')]) eq(utils.getaddresses( ['foo: ;', '"Jason R. Mastaler" ']), [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) - eq(utils.getaddresses( - [r'Pete(A nice \) chap) ']), - [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]) - eq(utils.getaddresses( - ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']), - [('', '')]) - eq(utils.getaddresses( - ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']), - [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]) - eq(utils.getaddresses( - ['John Doe ']), - [('John Doe (comment)', 'jdoe@machine.example')]) - eq(utils.getaddresses( - ['"Mary Smith: Personal Account" ']), - [('Mary Smith: Personal Account', 'smith@home.example')]) - eq(utils.getaddresses( - ['Undisclosed recipients:;']), - [('', '')]) - eq(utils.getaddresses( - [r', "Giant; \"Big\" Box" ']), - [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]) def test_getaddresses_embedded_comment(self): """Test proper handling of a nested comment""" diff --git a/Misc/NEWS.d/3.7.17.rst b/Misc/NEWS.d/3.7.17.rst index 687ccb4b9ee8e2..0fb5d4b7ccee33 100644 --- a/Misc/NEWS.d/3.7.17.rst +++ b/Misc/NEWS.d/3.7.17.rst @@ -1,14 +1,3 @@ -.. date: 2023-09-11-20-07-52 -.. gh-issue:102988 -.. nonce: GLWDMX -.. release date: 2023-09-11 -.. section: Security - -email.utils.getaddresses and email.utils.parseaddr now return -``('', '')`` 2-tuples in more situations where invalid email addresses are -encountered instead of potentially inaccurate values. -(Contributed by Thomas Dwyer for :gh:`102988` to ameliorate CVE-2023-27043.) - .. date: 2023-08-22-17-39-12 .. gh-issue: 108310 .. nonce: fVM3sg @@ -24,6 +13,7 @@ post-handshake TLS encrypted data. Security issue reported as Oksman. Patch by Gregory P. Smith. .. + .. date: 2023-06-05-04-07-52 .. gh-issue: 103142 .. nonce: GLWDMX diff --git a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst deleted file mode 100644 index e0434ccd2ccab5..00000000000000 --- a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst +++ /dev/null @@ -1,4 +0,0 @@ -CVE-2023-27043: Prevent :func:`email.utils.parseaddr` -and :func:`email.utils.getaddresses` from returning the realname portion of an -invalid RFC2822 email header in the email address portion of the 2-tuple -returned after being parsed by :class:`email._parseaddr.AddressList`.