Abhilash Raj <raj.abhila...@gmail.com> added the comment:
How about we go a slightly different route than suggested by jpic and instead
of returning a None value, we return the entire rest of the string as the
domain? That would take care of the security issue since it won't be a valid
domain anymore.
msg = email.message_from_string(
'From: SomeAbhilashRaj <abhil...@malicious.org@important.com>',
policy=email.policy.default)
print(msg['From'].addresses)
print(msg['From'].defects)
(Address(display_name='SomeAbhilashRaj', username='abhilash',
domain='malicious....@important.com>'),)
(InvalidHeaderDefect('invalid address in address-list'),
InvalidHeaderDefect("missing trailing '>' on angle-addr"),
InvalidHeaderDefect("unpected '@' in domain"), ObsoleteHeaderDefect("period in
'phrase'"))
This lets us do postel-style error recovery while working in RFC 2822 style
grammar.
I wrote this patch to achieve this:
@@ -1573,6 +1574,11 @@ def get_domain(value):
domain.append(DOT)
token, value = get_atom(value[1:])
domain.append(token)
+ if value and value[0] == '@':
+ domain.defects.append(errors.InvalidHeaderDefect(
+ "unpected '@' in domain"))
+ token = get_unstructured(value)
+ domain.append(token)
return domain, value
Does this makes sense?
----------
nosy: +maxking
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue34155>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
