gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) #108250
Conversation
… tuple to indicate the parsing error (old API)
|
Note, I just have the regex looking for both Double Quotes and Single Quotes but I think only Double-Quotes are allowed to specify a Real Name part. Let me know if Single Quotes can NOT be used to wrap the Real Name e.g. I'll remove that from the regex if so Additionally, I'm also stripping out escaped commas before counting e.g. |
| accepted_values = [] | ||
| for v in email_header_fields: | ||
| s = v.replace('\\(', '').replace('\\)', '') | ||
| if s.count('(') != s.count(')'): |
There was a problem hiding this comment.
This does not check )( or any other combination when ) proceeds (. Probably it could be better to iterate through the string and manually increment and decrement verifying that the counter never goes below 0 and it is exactly 0 at the end
| if s.count('(') != s.count(')'): | |
| counter = 0 | |
| for c in s: | |
| if c == '(': | |
| counter += 1 | |
| elif c == ')': | |
| counter -= 1 | |
| if counter < 0: | |
| break | |
| if counter != 0: |
There was a problem hiding this comment.
Looks like this is not necessary. The fix already accounts for this and none of those are an issue.
My current solution works, because instead of trying to actually parse things I just detect an error has occurred by making sure that the resulting number of address 2-Tuples matches the number of Headers that were parsed. Which is why I went this direction. It's super hard to fix the actual parsing logic of RFC 2822 headers :P
./python
Python 3.13.0a0 (heads/blah_1:a1cc74c4ee, Aug 21 2023, 18:40:57) [GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> from email.utils import parseaddr, getaddresses
>>>
>>>
>>> parseaddr('alice@example.org])(<bob@example.com>')
('', '')
>>>
>>> parseaddr('alice@example.org)(<bob@example.com>')
('', '')
>>>
>>> parseaddr('alice@example.org <bob@example.com>')
('', '')
>>> parseaddr('alice@example.org..<bob@example.com>')
('', '')
>>>
>>> getaddresses(['alice@example.org..<bob@example.com>'])
[('', '')]
>>>
>>> getaddresses(['alice@example.org])(<bob@example.com>'])
[('', '')]
>>>
>>> getaddresses(['alice@example.org)(<bob@example.com>'])
[('', '')]
With the un-patched python your attack results in multiple Tuples being returned
>>> getaddresses(['alice@example.org])(<bob@example.com>'])
[('', 'alice@example.org'), ('', ''), ('', '')]
A cleaner way to say it is this. There are countless ways to trigger this parsing error but there is only one error e.g. the parser will return an abnormal number of output tuples. So, rather than trying to detect every possible input which could trigger the bug, I just detect the one error that they all result in.
There was a problem hiding this comment.
After looking at this again, it is interesting that my solution works here… why do I check for matching parentheses at all ?
blah@example.com)(<bob&@example.com
I have ideas, but I’ll look into it.
Lib/email/utils.py
Outdated
|
|
||
| # When a comma is used in the Real Name part it is not a deliminator | ||
| # So strip those out before counting the commas | ||
| pattern = r'"[^"]*,[^"]*"|\'[^\']*,[^\']\'*|\\,' |
There was a problem hiding this comment.
Does this regex support multiple commas inside quotes?
| pattern = r'"[^"]*,[^"]*"|\'[^\']*,[^\']\'*|\\,' | |
| pattern = r'''"[^"]*,[^"]*"|'[^']*,[^']'*|\\,''' |
There was a problem hiding this comment.
The regex works for multiple commas because the Not-In-List [^"] allows for other commas. There just simply has to be at least one comma in between the Quotes.
There was a problem hiding this comment.
I'm just curious. The regex proposed by me simply ignores whatever is in single or double quotes and seems to be much simpler than this one. Is there any benefit in ignoring only the quoted parts containing at least one comma? I think it has no effect on the comma-counting logic.
There was a problem hiding this comment.
@frenzymadness I don't see your suggested regex. In any case, perhaps what you are suggesting would be fine. I'll think on it. However, from a security perspective I'd like to be as specific as possible, because things get super tricky and I'd not want to implement a fix that is latter proven to be able to be bypassed. It's only the commas in quotes that are an issue here and should be accounted for.
In ether case, I plan on at least implementing the Triple Single-Quote syntax so I don't need to escape the single-quotes.
Additionally, I want looks some more to make sure that single-quotes are valid chars to isolate the Real Name part of the header. It's looking like only Double-Quotes to that, if so then only commas in Double-Quotes should be stripped.
There was a problem hiding this comment.
The regex has been proposed in this comment: #102988 (comment)
There was a problem hiding this comment.
Okay, I'll consider that. I've been busy with work but I plan on adding the extra test_email.py and updating the regex over this weekend.
| eq(utils.getaddresses(['alice@example.org]<bob@example.com>']), | ||
| [('', '')]) |
There was a problem hiding this comment.
| eq(utils.getaddresses(['alice@example.org]<bob@example.com>']), | |
| [('', '')]) | |
| eq(utils.getaddresses(['alice@example.org]<bob@example.com>']), | |
| [('', '')]) | |
| eq(utils.getaddresses(['alice@example.org])(<bob@example.com>']), | |
| [('', '')]) |
There was a problem hiding this comment.
However, not a bad idea to add extra tests. That way if someone else changes this code in the future these other corner cases will be tested for.
|
Any updates on that? |
|
After some investigation, I confirmed that I was being too carful before. Only commas in double-quotes should be accounted for not commas in single-quotes nor commas with prefixed with a backslash A comma in single-quotes and a comma prefixed by a backslash trigger the bug. However, a comma in double-quotes is parsed correctly. This is how all of those cases behave in: Python 2.7.17 Additionally, somehow the fix for CVE-2019-16056 regarding Python 2.7.17 So, this PR fixes both CVE-2019-16056 and CVE-2023-27043 |
|
What is necessary here to move this PR forward? |
|
My colleague Lumir Balhar @frenzymadness ran an impact check on this PR on Fedora: in short, there is no impact, the test suite of all Python packages (in Fedora) pass with the change. While there were some build errors, they were unrelated to the email issue. For details, see https://copr.fedorainfracloud.org/coprs/lbalhar/email-CVE/builds/ COPR which as more than 4300 builds. I created a copy of this PR to add a strict parameter: PR #111116. |
|
Closing this in favor of Victor's updated version. |
This PR is designed to detect parsing errors and return an empty tuple to indicate the parsing error. Additionally, this PR updates the test_email.py to check for these bugs, as well as, adds some other wacky Address Headers that are in the examples of RFC 2822 and makes sure they are being parsed correctly.
I realize that this PR dose not actually track down the bug and fix it. It simply detects the error has happened and returns a parsing error. However, Lib/email/utils.py is a much simpler file than Lib/email/_parseaddr.py, so it is much easier to review this change. Additionally, there are actually multiple bugs which are causing erroneous output. Tracing the code flow for each and fixing them would be prone to error considering all of the wacky stuff that RFC 2822 allows for in Address headers. Finally, this change is actually rather simple.
📚 Documentation preview 📚: https://cpython-previews--108250.org.readthedocs.build/