File tree Expand file tree Collapse file tree 5 files changed +37
-1
lines changed
Misc/NEWS.d/next/Security Expand file tree Collapse file tree 5 files changed +37
-1
lines changed Original file line number Diff line number Diff line change @@ -1964,6 +1964,8 @@ def get_domain(value):
19641964 token , value = get_dot_atom (value )
19651965 except errors .HeaderParseError :
19661966 token , value = get_atom (value )
1967+ if value and value [0 ] == '@' :
1968+ raise errors .HeaderParseError ('Invalid Domain' )
19671969 if leader is not None :
19681970 token [:0 ] = [leader ]
19691971 domain .append (token )
Original file line number Diff line number Diff line change @@ -379,7 +379,12 @@ def getaddrspec(self):
379379 aslist .append ('@' )
380380 self .pos += 1
381381 self .gotonext ()
382- return EMPTYSTRING .join (aslist ) + self .getdomain ()
382+ domain = self .getdomain ()
383+ if not domain :
384+ # Invalid domain, return an empty address instead of returning a
385+ # local part to denote failed parsing.
386+ return EMPTYSTRING
387+ return EMPTYSTRING .join (aslist ) + domain
383388
384389 def getdomain (self ):
385390 """Get the complete domain name from an address."""
@@ -394,6 +399,10 @@ def getdomain(self):
394399 elif self .field [self .pos ] == '.' :
395400 self .pos += 1
396401 sdlist .append ('.' )
402+ elif self .field [self .pos ] == '@' :
403+ # bpo-34155: Don't parse domains with two `@` like
404+ # `a@malicious.org@important.com`.
405+ return EMPTYSTRING
397406 elif self .field [self .pos ] in self .atomends :
398407 break
399408 else :
Original file line number Diff line number Diff line change @@ -1418,6 +1418,16 @@ def test_get_addr_spec_dot_atom(self):
14181418 self .assertEqual (addr_spec .domain , 'example.com' )
14191419 self .assertEqual (addr_spec .addr_spec , 'star.a.star@example.com' )
14201420
1421+ def test_get_addr_spec_multiple_domains (self ):
1422+ with self .assertRaises (errors .HeaderParseError ):
1423+ parser .get_addr_spec ('star@a.star@example.com' )
1424+
1425+ with self .assertRaises (errors .HeaderParseError ):
1426+ parser .get_addr_spec ('star@a@example.com' )
1427+
1428+ with self .assertRaises (errors .HeaderParseError ):
1429+ parser .get_addr_spec ('star@172.17.0.1@example.com' )
1430+
14211431 # get_obs_route
14221432
14231433 def test_get_obs_route_simple (self ):
Original file line number Diff line number Diff line change @@ -3015,6 +3015,20 @@ def test_parseaddr_empty(self):
30153015 self .assertEqual (utils .parseaddr ('<>' ), ('' , '' ))
30163016 self .assertEqual (utils .formataddr (utils .parseaddr ('<>' )), '' )
30173017
3018+ def test_parseaddr_multiple_domains (self ):
3019+ self .assertEqual (
3020+ utils .parseaddr ('a@b@c' ),
3021+ ('' , '' )
3022+ )
3023+ self .assertEqual (
3024+ utils .parseaddr ('a@b.c@c' ),
3025+ ('' , '' )
3026+ )
3027+ self .assertEqual (
3028+ utils .parseaddr ('a@172.17.0.1@c' ),
3029+ ('' , '' )
3030+ )
3031+
30183032 def test_noquote_dump (self ):
30193033 self .assertEqual (
30203034 utils .formataddr (('A Silly Person' , 'person@dom.ain' )),
Original file line number Diff line number Diff line change 1+ Fix parsing of invalid email addresses with more than one ``@ `` (e.g. a@b@c.com.) to not return the part before 2nd ``@ `` as valid email address. Patch by maxking & jpic.
You can’t perform that action at this time.
0 commit comments