mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-23 09:19:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
cpython/Misc/NEWS.d/next/Library
History
Miss Islington (bot) 2cdbd3b8b2
bpo-45001: Make email date parsing more robust against malformed input (GH-27946) (GH-27973) 
Various date parsing utilities in the email module, such as
email.utils.parsedate(), are supposed to gracefully handle invalid
input, typically by raising an appropriate exception or by returning
None.

The internal email._parseaddr._parsedate_tz() helper used by some of
these date parsing routines tries to be robust against malformed input,
but unfortunately it can still crash ungracefully when a non-empty but
whitespace-only input is passed. This manifests as an unexpected
IndexError.

In practice, this can happen when parsing an email with only a newline
inside a ‘Date:’ header, which unfortunately happens occasionally in the
real world.

Here's a minimal example:

    $ python
    Python 3.9.6 (default, Jun 30 2021, 10:22:16)
    [GCC 11.1.0] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import email.utils
    >>> email.utils.parsedate('foo')
    >>> email.utils.parsedate(' ')
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate
        t = parsedate_tz(data)
      File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz
        res = _parsedate_tz(data)
      File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz
        if data[0].endswith(',') or data[0].lower() in _daynames:
    IndexError: list index out of range

The fix is rather straight-forward: guard against empty lists, after
splitting on whitespace, but before accessing the first element.
(cherry picked from commit 989f6a3800)

Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
2021-08-26 17:48:20 +02:00
..
2017-09-20-14-43-03.bpo-29298._78CSN.rst bpo-29298: Fix crash with required subparsers without dest (GH-3680) (GH-27304) 2021-07-23 15:27:17 +02:00
2018-04-24-14-25-07.bpo-33349.Y_0LIr.rst make lib2to3 parse async generators everywhere (GH-6588) (GH-27703) 2021-08-10 11:56:50 +02:00
2019-06-03-23-53-25.bpo-27513.qITN7d.rst bpo-27513: email.utils.getaddresses() now handles Header objects (GH-13797) (#27245) 2021-07-19 19:28:56 +02:00
2019-09-25-13-54-41.bpo-30256.wBkzox.rst bpo-30256: [doc] Fix formatting error in news (GH-26994) (GH-26996) 2021-07-02 18:38:04 +01:00
2020-01-16-23-41-16.bpo-38840.VzzYZz.rst bpo-38840: Incorrect __all__ in multiprocessing.managers (GH-18034) (GH-27684) 2021-08-09 19:31:10 +02:00
2020-04-24-20-39-38.bpo-34990.3SmL9M.rst [3.9] bpo-34990: Treat the pyc header's mtime in compileall as an unsigned int (GH-19708) 2021-08-24 11:07:31 -04:00
2020-07-13-23-46-59.bpo-32695.tTqqXe.rst bpo-32695: Docs and tests for compresslevel and preset kwargs in tarfile (GH-21470) (GH-27674) 2021-08-09 12:30:00 +02:00
2020-07-26-18-17-30.bpo-41402.YRkVkp.rst bpo-41402: Fix email ContentManager calling .encode() on bytes (GH-21631) (GH-27687) 2021-08-10 00:34:58 +02:00
2021-02-06-05-34-01.bpo-43048.yCPUmo.rst [3.9] bpo-43048: RecursionError traceback RecursionError bugfix for cpy3.9 (GH-24460) (#24460) 2021-07-12 17:58:47 +02:00
2021-04-15-12-02-17.bpo-43853.XXCVAp.rst [3.9] bpo-43853: Amend NEWS entry for latest changes in sqlite3 (GH-27922) (GH-27952) 2021-08-25 20:26:28 +01:00
2021-05-18-00-17-21.bpo-27334.32EJZi.rst [3.9] bpo-27334: roll back transaction if sqlite3 context manager fails to commit (GH-26202) (GH-27944) 2021-08-25 20:02:25 +01:00
2021-06-10-21-53-46.bpo-34266.k3fxnm.rst bpo-34266: [pdb] handle ValueError from shlex.split() (GH-26656) (GH-27005) 2021-07-03 17:05:33 +01:00
2021-06-12-21-25-35.bpo-27827.TMWh1i.rst bpo-27827: identify a greater range of reserved filename on Windows. (GH-26698) (#27422) 2021-07-28 17:15:51 +02:00
2021-06-24-19-16-20.bpo-42892.qvRNhI.rst bpo-42892: fix email multipart attribute error (GH-26903) (GH-27493) 2021-07-30 19:30:58 +02:00
2021-06-29-21-17-17.bpo-44461.acqRnV.rst [3.9] bpo-44461: Check early that a pdb target is valid for execution. (GH-27227) (GH-27400) 2021-07-28 18:48:52 -04:00
2021-07-04-11-33-34.bpo-41249.sHdwBE.rst [3.9] bpo-41249: Fix postponed annotations for TypedDict (GH-27017) (GH-27205) 2021-07-17 11:36:38 +02:00
2021-07-04-21-16-53.bpo-44558.cm7Slv.rst bpo-44558: Make the implementation consistency of operator.indexOf (GH-27012) 2021-07-05 02:52:04 -07:00
2021-07-05-18-13-25.bpo-44566.o51Bd1.rst [3.9] bpo-44566: resolve differences between asynccontextmanager and contextmanager (GH-27024). (#27269) 2021-07-20 21:12:58 +02:00
2021-07-09-07-14-37.bpo-41928.Q1jMrr.rst [3.9] bpo-43219: shutil.copyfile, raise a less confusing exception instead of IsADirectoryError (GH-27049) (GH-27082) 2021-07-09 21:13:59 -07:00
2021-07-13-09-01-33.bpo-44608.R3IcM1.rst bpo-44608: Fix memory leak in _tkinter._flatten() (GH-27107) 2021-07-13 22:44:08 -07:00
2021-07-16-13-40-31.bpo-40897.aveAre.rst bpo-40897:Give priority to using the current class constructor in inspect.signature (GH-27177) (GH-27209) 2021-07-17 10:36:31 +02:00
2021-07-21-10-43-22.bpo-44666.CEThkv.rst bpo-44666: Use default encoding as fallback for compile_file (GH-27236) (GH-27489) 2021-07-30 19:12:29 +02:00
2021-07-21-23-16-30.bpo-44704.iqHLxQ.rst bpo-44704: Make Set._hash consistent with frozenset.__hash__ (GH-27281) (GH-27283) 2021-07-21 19:23:38 -05:00
2021-07-24-02-17-59.bpo-44720.shU5Qm.rst bpo-44720: Don't crash when calling weakref.proxy(not_an_iterator).__next__ (GH-27316) (#27325) 2021-07-24 11:45:40 +02:00
2021-07-27-22-11-29.bpo-44752._bvbrZ.rst bpo-44752: Make rlcompleter not call @property methods (GH-27401) (#27445) 2021-07-29 15:53:39 +02:00
2021-07-28-15-50-59.bpo-42853.8SYiF_.rst [3.9] bpo-42853: Fix http.client fails to download >2GiB data over TLS (GH-27405) 2021-07-28 15:27:49 +02:00
2021-07-30-23-27-30.bpo-44667.tu0Xrv.rst bpo-44667: Treat correctly lines ending with comments and no newlines in the Python tokenizer (GH-27499) (GH-27501) 2021-08-02 11:44:01 +02:00
2021-08-02-14-37-32.bpo-44806.wOW_Qn.rst bpo-44806: Fix __init__ in subclasses of protocols (GH-27545) (GH-27559) 2021-08-02 18:52:16 +02:00
2021-08-03-15-02-28.bpo-44815.9AmFfy.rst [3.9] bpo-44815: Always show deprecation in asyncio.gather/sleep() (GH-27569) 2021-08-18 20:47:55 +02:00
2021-08-04-12-29-00.bpo-44822.zePNXA.rst [3.9] bpo-44822: Don't truncate strs with embedded NULL chars returned by sqlite3 UDF callbacks (GH-27588). (GH-27639) 2021-08-07 00:02:06 +03:00
2021-08-06-09-43-50.bpo-44605.q4YSBZ.rst bpo-44605: Teach @total_ordering() to work with metaclasses (GH-27633) (GH-27641) 2021-08-06 14:57:52 -05:00
2021-08-06-13-00-28.bpo-44849.O78F_f.rst bpo-44849: Fix os.set_inheritable() on FreeBSD 14 with O_PATH (GH-27623) 2021-08-06 06:42:51 -07:00
2021-08-06-19-15-52.bpo-44581.oFDBTB.rst [3.9] Upgrade bundled pip and setuptools (GH-27625) (GH-27658) 2021-08-09 16:46:15 +02:00
2021-08-09-13-17-10.bpo-38956.owWLNv.rst [3.9] bpo-38956: don't print BooleanOptionalAction's default twice (GH-27672) (GH-27788) 2021-08-17 11:17:00 +02:00
2021-08-19-15-03-54.bpo-44955.1mxFQS.rst bpo-44955: Always call stopTestRun() for implicitly created TestResult objects (GH-27831) (GH-27882) 2021-08-22 21:15:10 +03:00
2021-08-26-16-25-48.bpo-45001.tn_dKp.rst bpo-45001: Make email date parsing more robust against malformed input (GH-27946) (GH-27973) 2021-08-26 17:48:20 +02:00
README.rst

README.rst 

Put news entry `blurb`_ files for the *Library* section in this directory.

.. _blurb: https://pypi.org/project/blurb/