From a5cac0ac49d305eecf8e5347aac556a3ec4b4d74 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Sat, 17 Feb 2024 14:01:02 +0100 Subject: [PATCH] [PATCH] [3.11] gh-100884: email/_header_value_parser: don't encode list separators (GH-100885) (GH-115593) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit ListSeparator should not be encoded. This could happen when a long line pushes its separator to the next line, which would have been encoded. (cherry picked from commit 09fab93c3d857496c0bd162797fab816c311ee48) Co-authored-by: Thomas Weißschuh (cherry picked from commit 70754d21c288535e86070ca7a6e90dcb670b8593) Gbp-Pq: Name CVE-2025-1795-1.patch --- Lib/email/_header_value_parser.py | 3 ++- Lib/test/test_email/test__header_value_parser.py | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py index e579b31..873e109 100644 --- a/Lib/email/_header_value_parser.py +++ b/Lib/email/_header_value_parser.py @@ -951,6 +951,7 @@ class _InvalidEwError(errors.HeaderParseError): # up other parse trees. Maybe should have tests for that, too. DOT = ValueTerminal('.', 'dot') ListSeparator = ValueTerminal(',', 'list-separator') +ListSeparator.as_ew_allowed = False RouteComponentMarker = ValueTerminal('@', 'route-component-marker') # @@ -2024,7 +2025,7 @@ def get_address_list(value): address_list.defects.append(errors.InvalidHeaderDefect( "invalid address in address-list")) if value: # Must be a , at this point. - address_list.append(ValueTerminal(',', 'list-separator')) + address_list.append(ListSeparator) value = value[1:] return address_list, value diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py index 1bdcfa1..6c2543d 100644 --- a/Lib/test/test_email/test__header_value_parser.py +++ b/Lib/test/test_email/test__header_value_parser.py @@ -2946,6 +2946,11 @@ class TestFolding(TestEmailBase): '=?utf-8?q?H=C3=BCbsch?= Kaktus ,\n' ' =?utf-8?q?bei=C3=9Ft_bei=C3=9Ft?= \n') + def test_address_list_with_list_separator_after_fold(self): + to = '0123456789' * 8 + '@foo, ä ' + self._test(parser.get_address_list(to)[0], + '0123456789' * 8 + '@foo,\n =?utf-8?q?=C3=A4?= \n') + # XXX Need tests with comments on various sides of a unicode token, # and with unicode tokens in the comments. Spaces inside the quotes # currently don't do the right thing. -- 2.30.2