bpo-34155: Dont parse domains containing @ (GH-13079)

Before: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='a', domain='malicious.org'),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@malicious.org') After: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='', domain=''),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@') https://bugs.python.org/issue34155
2025-08-30 21:48:47 +00:00 · 2019-07-17 23:54:25 +02:00 · 2019-07-17 23:54:25 +02:00 · 8cb65d1381
commit 8cb65d1381
parent 719a062bcb
5 changed files with 37 additions and 1 deletions
--- a/Lib/email/_parseaddr.py
+++ b/Lib/email/_parseaddr.py
@ -379,7 +379,12 @@ class AddrlistClass:
        aslist.append('@')
        self.pos += 1
        self.gotonext()
-        return EMPTYSTRING.join(aslist) + self.getdomain()
+        domain = self.getdomain()
+        if not domain:
+            # Invalid domain, return an empty address instead of returning a
+            # local part to denote failed parsing.
+            return EMPTYSTRING
+        return EMPTYSTRING.join(aslist) + domain

    def getdomain(self):
        """Get the complete domain name from an address."""
@ -394,6 +399,10 @@ class AddrlistClass:
            elif self.field[self.pos] == '.':
                self.pos += 1
                sdlist.append('.')
+            elif self.field[self.pos] == '@':
+                # bpo-34155: Don't parse domains with two `@` like
+                # `a@malicious.org@important.com`.
+                return EMPTYSTRING
            elif self.field[self.pos] in self.atomends:
                break
            else: