Message 344030 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	maxking
Recipients	Dain Dwarf, Windson Yang, barry, bortzmeyer, cnicodeme, jpic, kal.sze, maxking, msapiro, ned.deily, nicoe, r.david.murray, vstinner, xtreak
Date	2019-05-31.06:26:22
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1559283982.86.0.259349738436.issue34155@roundup.psfhosted.org>
In-reply-to

Content
How about we go a slightly different route than suggested by jpic and instead of returning a None value, we return the entire rest of the string as the domain? That would take care of the security issue since it won't be a valid domain anymore. msg = email.message_from_string( 'From: SomeAbhilashRaj <abhilash@malicious.org@important.com>', policy=email.policy.default) print(msg['From'].addresses) print(msg['From'].defects) (Address(display_name='SomeAbhilashRaj', username='abhilash', domain='malicious.org@important.com>'),) (InvalidHeaderDefect('invalid address in address-list'), InvalidHeaderDefect("missing trailing '>' on angle-addr"), InvalidHeaderDefect("unpected '@' in domain"), ObsoleteHeaderDefect("period in 'phrase'")) This lets us do postel-style error recovery while working in RFC 2822 style grammar. I wrote this patch to achieve this: @@ -1573,6 +1574,11 @@ def get_domain(value): domain.append(DOT) token, value = get_atom(value[1:]) domain.append(token) + if value and value[0] == '@': + domain.defects.append(errors.InvalidHeaderDefect( + "unpected '@' in domain")) + token = get_unstructured(value) + domain.append(token) return domain, value Does this makes sense?

How about we go a slightly different route than suggested by jpic and instead of returning a None value, we return the entire rest of the string as the domain? That would take care of the security issue since it won't be a valid domain anymore.


     msg = email.message_from_string(
        'From: SomeAbhilashRaj <abhilash@malicious.org@important.com>',    
        policy=email.policy.default)
     print(msg['From'].addresses)
     print(msg['From'].defects)

     (Address(display_name='SomeAbhilashRaj', username='abhilash', domain='malicious.org@important.com>'),)
     (InvalidHeaderDefect('invalid address in address-list'), InvalidHeaderDefect("missing trailing '>' on angle-addr"),  InvalidHeaderDefect("unpected '@' in domain"), ObsoleteHeaderDefect("period in 'phrase'"))


This lets us do postel-style error recovery while working in RFC 2822 style grammar. 

I wrote this patch to achieve this:


@@ -1573,6 +1574,11 @@ def get_domain(value):
             domain.append(DOT)
             token, value = get_atom(value[1:])
             domain.append(token)
+    if value and value[0] == '@':
+        domain.defects.append(errors.InvalidHeaderDefect(
+            "unpected '@' in domain"))
+        token = get_unstructured(value)
+        domain.append(token)
     return domain, value

Does this makes sense?

History
Date	User	Action	Args
2019-05-31 06:26:22	maxking	set	recipients: + maxking, barry, vstinner, msapiro, ned.deily, r.david.murray, nicoe, kal.sze, Windson Yang, xtreak, cnicodeme, bortzmeyer, jpic, Dain Dwarf
2019-05-31 06:26:22	maxking	set	messageid: <1559283982.86.0.259349738436.issue34155@roundup.psfhosted.org>
2019-05-31 06:26:22	maxking	link	issue34155 messages
2019-05-31 06:26:22	maxking	create