SHA256
1
0
forked from pool/python38
Matej Cepl 2023-07-12 16:31:40 +00:00 committed by Git OBS Bridge
parent ad4c4c8221
commit ab9641870b

View File

@ -1,12 +1,14 @@
--- ---
Doc/library/email.utils.rst | 26 +++ Doc/library/email.utils.rst | 26 +++
Lib/email/utils.py | 63 +++++++ Lib/email/utils.py | 62 ++++++-
Lib/test/test_email/test_email.py | 81 +++++++++- Lib/test/test_email/test_email.py | 81 +++++++++-
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4
4 files changed, 164 insertions(+), 10 deletions(-) 4 files changed, 163 insertions(+), 10 deletions(-)
--- a/Doc/library/email.utils.rst Index: Python-3.8.17/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst ===================================================================
--- Python-3.8.17.orig/Doc/library/email.utils.rst
+++ Python-3.8.17/Doc/library/email.utils.rst
@@ -67,6 +67,11 @@ of the new API. @@ -67,6 +67,11 @@ of the new API.
*email address* parts. Returns a tuple of that information, unless the parse *email address* parts. Returns a tuple of that information, unless the parse
fails, in which case a 2-tuple of ``('', '')`` is returned. fails, in which case a 2-tuple of ``('', '')`` is returned.
@ -54,12 +56,14 @@
.. function:: parsedate(date) .. function:: parsedate(date)
--- a/Lib/email/utils.py Index: Python-3.8.17/Lib/email/utils.py
+++ b/Lib/email/utils.py ===================================================================
@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'): --- Python-3.8.17.orig/Lib/email/utils.py
+++ Python-3.8.17/Lib/email/utils.py
@@ -105,13 +105,54 @@ def formataddr(pair, charset='utf-8'):
return '%s%s%s <%s>' % (quotes, name, quotes, address)
return address return address
+def _pre_parse_validation(email_header_fields): +def _pre_parse_validation(email_header_fields):
+ accepted_values = [] + accepted_values = []
+ for v in email_header_fields: + for v in email_header_fields:
@ -81,11 +85,11 @@
+ accepted_values.append(v) + accepted_values.append(v)
+ +
+ return accepted_values + return accepted_values
+
def getaddresses(fieldvalues): def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" - """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
- all = COMMASPACE.join(str(v) for v in fieldvalues) - all = COMMASPACE.join(fieldvalues)
+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. + """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+ +
+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in + When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
@ -114,7 +118,7 @@
def _format_timetuple_and_zone(timetuple, zone): def _format_timetuple_and_zone(timetuple, zone):
@@ -209,9 +251,18 @@ def parseaddr(addr): @@ -209,9 +250,18 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', ''). which case return a 2-tuple of ('', '').
""" """
@ -136,9 +140,11 @@
return addrs[0] return addrs[0]
--- a/Lib/test/test_email/test_email.py Index: Python-3.8.17/Lib/test/test_email/test_email.py
+++ b/Lib/test/test_email/test_email.py ===================================================================
@@ -3263,15 +3263,90 @@ Foo --- Python-3.8.17.orig/Lib/test/test_email/test_email.py
+++ Python-3.8.17/Lib/test/test_email/test_email.py
@@ -3248,15 +3248,90 @@ Foo
[('Al Person', 'aperson@dom.ain'), [('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')]) ('Bud Person', 'bperson@dom.ain')])
@ -232,8 +238,10 @@
def test_getaddresses_embedded_comment(self): def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment""" """Test proper handling of a nested comment"""
Index: Python-3.8.17/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
===================================================================
--- /dev/null --- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst +++ Python-3.8.17/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+CVE-2023-27043: Prevent :func:`email.utils.parseaddr` +CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
+and :func:`email.utils.getaddresses` from returning the realname portion of an +and :func:`email.utils.getaddresses` from returning the realname portion of an