email.utils.getaddresses() rejects email addresses with "," in name #106669

felixxm · 2023-07-12T07:52:40Z

Bug report

email.utils.getaddresses() returns ('', '') for email addresses with , in a real name, e.g.

>>> from email.utils import getaddresses
>>> getaddresses(('"Sürname, Firstname" <to@example.com>',))
[('', '')]

Regression in 18dfbd0.

Your environment

CPython versions tested on: 3.12.0b4
Operating system and architecture: x86_64 GNU/Linux

Linked PRs

gh-106669: Revert "gh-102988: Detect email address parsing errors ... (#105127)" #106733
[3.12] gh-106669: Revert "gh-102988: Detect email address parsing errors ... (GH-105127)" (GH-106733) #106941

The text was updated successfully, but these errors were encountered:

felixxm · 2023-07-12T08:50:01Z

A regression test:

diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
index 5238944d6b..30ade53a9a 100644
--- a/Lib/test/test_email/test_email.py
+++ b/Lib/test/test_email/test_email.py
@@ -3319,6 +3319,22 @@ def test_getaddresses(self):
            [('Al Person', 'aperson@dom.ain'),
             ('Bud Person', 'bperson@dom.ain')])
 
+    def test_getaddresses_comma_in_name(self):
+        self.assertEqual(
+            utils.getaddresses(
+                [
+                    '"Bud, Person" <bperson@dom.ain>',
+                    'aperson@dom.ain (Al Person)',
+                    '"Mariusz Felisiak" <to@example.com>',
+                ]
+            ),
+            [
+                ('Bud Person', 'bperson@dom.ain'),
+                ('Al Person', 'aperson@dom.ain'),
+                ('Mariusz Felisiak', 'to@example.com'),
+            ],
+        )
+
     def test_getaddresses_parsing_errors(self):
         """Test for parsing errors from CVE-2023-27043"""
         eq = self.assertEqual

rouilj · 2023-07-13T23:22:57Z

Thanks for finding this. It blew up the regression testing for the Roundup Issue Tracker during my release yesterday. Specifically for:

email.utils.getaddresses(['"Bork, Chef" chef@bork.bork.bork'])
[('', '')]

Any idea if there will be a beta-5 to fix this? If not I could use some ideas on how to
handle/decorate the three tests that are failing when run on 3.12.

Thanks.

…g errors and return empty tuple to indicate the parsing error (old API) (python#105127)" This reverts commit 18dfbd0. See python#106669.

gpshead · 2023-07-14T00:57:46Z

If you add a test skip decorator, I'd do it specifically for 3.12beta4. Something like this:

@unittest.skipIf(sys.version_info == (3, 12, 0, 'beta', 4), "https://github.com/python/cpython/issues/106669")
def test_oops(self): ...

It does not look like there is an easy acceptable workaround for the bug as the source of the problem appears to be the comma counting logic added near the end of email.utils.getaddresses().

It's up to @Yhg1s to decide if this warrants a beta5 or not. I've prepared a rollback of the change that caused it.

…#105127)" (#106733) This reverts commit 18dfbd0. Adds a regression test from the issue. See #106669.

… parsing errors ... (pythonGH-105127)" (pythonGH-106733) This reverts commit 18dfbd0. Adds a regression test from the issue. See python#106669.. (cherry picked from commit a31dea1) Co-authored-by: Gregory P. Smith <greg@krypto.org>

…ors ... (GH-105127)" (GH-106733) (#106941) This reverts commit 18dfbd0. Adds a regression test from the issue. See #106669.. (cherry picked from commit a31dea1)

michel-slm · 2023-07-26T18:05:06Z

This also breaks b4 very similarly to Django; mentioning here for reference

https://bugzilla.redhat.com/show_bug.cgi?id=2226159

    def test_header_wrapping(sampledir, hval, verify, tr):
        hname = 'To' if '@' in hval else "X-Header"
        wrapped = b4.LoreMessage.wrap_header((hname, hval), transform=tr)
>       assert wrapped.decode() == f'{hname}: {verify}'
E       assert 'To: ' == 'To: foo@exam...@example.com>'
E         + To: 
E         - To: foo@example.com, Foo Bar <bar@example.com>, 
E         -  =?utf-8?q?F=C3=B4o_Baz?= <baz@example.com>, "Quux, Foo" <quux@example.com>
tests/test___init__.py:171: AssertionError

gpshead · 2023-07-26T18:43:07Z

The rollbacks were merged and will appear in 3.12.0rc1.

https://build.opensuse.org/request/show/1100886 by user mcepl + anag+factory - Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for stabilizing FLAG_REF usage (required for reproduceability; bsc#1213463). - Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)

https://build.opensuse.org/request/show/1102235 by user mcepl + dimstar_suse - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it).

https://build.opensuse.org/request/show/1102238 by user mcepl + dimstar_suse - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669.

https://build.opensuse.org/request/show/1102193 by user mcepl + dimstar_suse - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669.

https://build.opensuse.org/request/show/1102236 by user mcepl + dimstar_suse - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it).

https://build.opensuse.org/request/show/1102237 by user mcepl + dimstar_suse - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it).

https://build.opensuse.org/request/show/1103620 by user mcepl + dimstar_suse - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing error

felixxm added the type-bug An unexpected behavior, bug, or error label Jul 12, 2023

AlexWaygood added topic-email 3.12 bugs and security fixes 3.13 new features, bugs and security fixes labels Jul 12, 2023

AlexWaygood assigned gpshead Jul 12, 2023

This was referenced Jul 12, 2023

[CVE-2023-27043] Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple #102988

Open

gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) #105127

Merged

gpshead added the release-blocker label Jul 12, 2023

gpshead mentioned this issue Jul 14, 2023

gh-106669: Revert "gh-102988: Detect email address parsing errors ... (#105127)" #106733

Merged

felixxm mentioned this issue Jul 17, 2023

Refs #34118 -- Improved sanitize_address() error message for tuple with empty strings. django/django#17079

Merged

gpshead added a commit that referenced this issue Jul 21, 2023

gh-106669: Revert "gh-102988: Detect email address parsing errors ... (…

a31dea1

…#105127)" (#106733) This reverts commit 18dfbd0. Adds a regression test from the issue. See #106669.

gpshead mentioned this issue Jul 21, 2023

[3.12] gh-106669: Revert "gh-102988: Detect email address parsing errors ... (GH-105127)" (GH-106733) #106941

Merged

gpshead closed this as completed Jul 26, 2023

email.utils.getaddresses() rejects email addresses with "," in name #106669

email.utils.getaddresses() rejects email addresses with "," in name #106669

felixxm commented Jul 12, 2023 •

edited by bedevere-bot

felixxm commented Jul 12, 2023

rouilj commented Jul 13, 2023

gpshead commented Jul 14, 2023

michel-slm commented Jul 26, 2023

gpshead commented Jul 26, 2023

email.utils.getaddresses() rejects email addresses with "," in name #106669

email.utils.getaddresses() rejects email addresses with "," in name #106669

Comments

felixxm commented Jul 12, 2023 • edited by bedevere-bot

Bug report

Your environment

Linked PRs

felixxm commented Jul 12, 2023

rouilj commented Jul 13, 2023

gpshead commented Jul 14, 2023

michel-slm commented Jul 26, 2023

gpshead commented Jul 26, 2023

felixxm commented Jul 12, 2023 •

edited by bedevere-bot