diff options
| author | Victor Stinner <vstinner@python.org> | 2023-12-15 15:10:40 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-15 15:10:40 (GMT) |
| commit | 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19 (patch) | |
| tree | 26ca5ee7e498371cf1e3ec0147de641ddc7463ef /Doc/library/email.utils.rst | |
| parent | 4026ad5b2c595b855a3605420cfa0e3d49e63db7 (diff) | |
| download | cpython-4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19.zip cpython-4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19.tar.gz cpython-4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19.tar.bz2 | |
[CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
Co-Authored-By: Thomas Dwyer <github@tomd.tel>
Diffstat (limited to 'Doc/library/email.utils.rst')
| -rw-r--r-- | Doc/library/email.utils.rst | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst index 345b640..d693a9b 100644 --- a/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst @@ -58,13 +58,18 @@ of the new API. begins with angle brackets, they are stripped off. -.. function:: parseaddr(address) +.. function:: parseaddr(address, *, strict=True) Parse address -- which should be the value of some address-containing field such as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and *email address* parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ``('', '')`` is returned. + If *strict* is true, use a strict parser which rejects malformed inputs. + + .. versionchanged:: 3.13 + Add *strict* optional parameter and reject malformed inputs by default. + .. function:: formataddr(pair, charset='utf-8') @@ -82,12 +87,15 @@ of the new API. Added the *charset* option. -.. function:: getaddresses(fieldvalues) +.. function:: getaddresses(fieldvalues, *, strict=True) This method returns a list of 2-tuples of the form returned by ``parseaddr()``. *fieldvalues* is a sequence of header field values as might be returned by - :meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple - example that gets all the recipients of a message:: + :meth:`Message.get_all <email.message.Message.get_all>`. + + If *strict* is true, use a strict parser which rejects malformed inputs. + + Here's a simple example that gets all the recipients of a message:: from email.utils import getaddresses @@ -97,6 +105,9 @@ of the new API. resent_ccs = msg.get_all('resent-cc', []) all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) + .. versionchanged:: 3.13 + Add *strict* optional parameter and reject malformed inputs by default. + .. function:: parsedate(date) |