Message344030
How about we go a slightly different route than suggested by jpic and instead of returning a None value, we return the entire rest of the string as the domain? That would take care of the security issue since it won't be a valid domain anymore.
msg = email.message_from_string(
'From: SomeAbhilashRaj <abhilash@malicious.org@important.com>',
policy=email.policy.default)
print(msg['From'].addresses)
print(msg['From'].defects)
(Address(display_name='SomeAbhilashRaj', username='abhilash', domain='malicious.org@important.com>'),)
(InvalidHeaderDefect('invalid address in address-list'), InvalidHeaderDefect("missing trailing '>' on angle-addr"), InvalidHeaderDefect("unpected '@' in domain"), ObsoleteHeaderDefect("period in 'phrase'"))
This lets us do postel-style error recovery while working in RFC 2822 style grammar.
I wrote this patch to achieve this:
@@ -1573,6 +1574,11 @@ def get_domain(value):
domain.append(DOT)
token, value = get_atom(value[1:])
domain.append(token)
+ if value and value[0] == '@':
+ domain.defects.append(errors.InvalidHeaderDefect(
+ "unpected '@' in domain"))
+ token = get_unstructured(value)
+ domain.append(token)
return domain, value
Does this makes sense? |
|
Date |
User |
Action |
Args |
2019-05-31 06:26:22 | maxking | set | recipients:
+ maxking, barry, vstinner, msapiro, ned.deily, r.david.murray, nicoe, kal.sze, Windson Yang, xtreak, cnicodeme, bortzmeyer, jpic, Dain Dwarf |
2019-05-31 06:26:22 | maxking | set | messageid: <1559283982.86.0.259349738436.issue34155@roundup.psfhosted.org> |
2019-05-31 06:26:22 | maxking | link | issue34155 messages |
2019-05-31 06:26:22 | maxking | create | |
|