cpython/Lib
wouter bolsterlee 989f6a3800
bpo-45001: Make email date parsing more robust against malformed input (GH-27946)
Various date parsing utilities in the email module, such as
email.utils.parsedate(), are supposed to gracefully handle invalid
input, typically by raising an appropriate exception or by returning
None.

The internal email._parseaddr._parsedate_tz() helper used by some of
these date parsing routines tries to be robust against malformed input,
but unfortunately it can still crash ungracefully when a non-empty but
whitespace-only input is passed. This manifests as an unexpected
IndexError.

In practice, this can happen when parsing an email with only a newline
inside a ‘Date:’ header, which unfortunately happens occasionally in the
real world.

Here's a minimal example:

    $ python
    Python 3.9.6 (default, Jun 30 2021, 10:22:16)
    [GCC 11.1.0] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import email.utils
    >>> email.utils.parsedate('foo')
    >>> email.utils.parsedate(' ')
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate
        t = parsedate_tz(data)
      File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz
        res = _parsedate_tz(data)
      File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz
        if data[0].endswith(',') or data[0].lower() in _daynames:
    IndexError: list index out of range

The fix is rather straight-forward: guard against empty lists, after
splitting on whitespace, but before accessing the first element.
2021-08-26 16:49:03 +02:00
..
asyncio Trivial typo in docstring 2021-07-31 06:36:10 +02:00
collections bpo-27275: Change popitem() and pop() methods of collections.OrderedDict (GH-27530) 2021-08-03 13:00:55 +02:00
concurrent
ctypes Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
curses
dbm
distutils bpo-44781: make distutils test suppress deprecation warning from import distutils (GH-27485) 2021-08-02 11:34:55 +02:00
email bpo-45001: Make email date parsing more robust against malformed input (GH-27946) 2021-08-26 16:49:03 +02:00
encodings
ensurepip Upgrade bundled pip and setuptools (#27625) 2021-08-06 20:22:48 +02:00
html
http
idlelib Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
importlib bpo-43392: Optimize repeated calls to __import__() (GH-24735) 2021-08-12 11:23:29 -07:00
json
lib2to3 make lib2to3 parse async generators everywhere (GH-6588) 2021-08-10 11:31:32 +02:00
logging bpo-44291: Fix reconnection in logging.handlers.SysLogHandler (GH-26490) 2021-08-05 14:58:16 +01:00
msilib
multiprocessing bpo-38840: Incorrect __all__ in multiprocessing.managers (GH-18034) 2021-08-09 18:44:55 +02:00
pydoc_data
site-packages
sqlite3 bpo-27334: roll back transaction if sqlite3 context manager fails to commit (GH-26202) 2021-08-25 11:59:42 +01:00
test bpo-45001: Make email date parsing more robust against malformed input (GH-27946) 2021-08-26 16:49:03 +02:00
tkinter bpo-44404: tkinter after support callable classes (GH-26812) 2021-06-23 13:30:24 +03:00
turtledemo
unittest bpo-41322: Add unit tests for deprecation of test return values (GH-27846) 2021-08-22 21:32:45 +03:00
urllib Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
venv
wsgiref
xml Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
xmlrpc Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
zoneinfo
__future__.py
__phello__.foo.py
_aix_support.py
_bootsubprocess.py
_collections_abc.py bpo-44801: Check arguments in substitution of ParamSpec in Callable (GH-27585) 2021-08-04 20:07:01 +02:00
_compat_pickle.py
_compression.py
_markupbase.py
_osx_support.py bpo-43425: Update _osx_support not to use distutils.log (GH-26968) 2021-07-01 09:35:10 +09:00
_py_abc.py
_pydecimal.py Remove unnecessary test for xc == 1 in _pydecimal (GH-27102) 2021-07-15 12:48:46 +02:00
_pyio.py
_sitebuiltins.py
_strptime.py
_threading_local.py
_weakrefset.py
abc.py Clarify the order of a stacked abstractmethod (GH-26892) 2021-06-27 21:02:23 +03:00
aifc.py bpo-30077: Add support for Apple aifc/sowt pseudo-compression (GH-24449) 2021-08-13 13:31:25 +02:00
antigravity.py
argparse.py bpo-38956: don't print BooleanOptionalAction's default twice (GH-27672) 2021-08-16 23:42:21 +02:00
ast.py
asynchat.py bpo-44498: Issue a deprecation warning on asynchat, asyncore and smtpd import (#26882) 2021-06-24 12:37:26 -07:00
asyncore.py bpo-44498: Issue a deprecation warning on asynchat, asyncore and smtpd import (#26882) 2021-06-24 12:37:26 -07:00
base64.py bpo-44690: Adopt binacii.a2b_base64's strict mode in base64.b64decode (GH-27272) 2021-08-23 16:44:28 -07:00
bdb.py
binhex.py
bisect.py
bz2.py bpo-44439: BZ2File.write() / LZMAFile.write() handle buffer protocol correctly (GH-26764) 2021-06-22 10:04:23 +03:00
calendar.py
cgi.py
cgitb.py bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378) 2021-07-27 00:11:55 +02:00
chunk.py
cmd.py
code.py
codecs.py
codeop.py
colorsys.py Improve consistency of colorsys.rgb_to_hsv (GH-27277) 2021-07-23 09:59:30 -03:00
compileall.py bpo-34990: Treat the pyc header's mtime in compileall as an unsigned int (GH-19708) 2021-08-24 12:13:32 +03:00
configparser.py bpo-38741: Definition of multiple ']' in header configparser (GH-17129) 2021-07-13 15:54:06 +02:00
contextlib.py bpo-44566: resolve differences between asynccontextmanager and contextmanager (#27024) 2021-07-20 20:15:07 +02:00
contextvars.py
copy.py
copyreg.py bpo-44676: Serialize the union type using only public API (GH-27323) 2021-07-24 21:26:02 +03:00
cProfile.py
crypt.py
csv.py bpo-43625: Enhance csv sniffer has_headers() to be more accurate (GH-26939) 2021-07-30 19:10:37 +02:00
dataclasses.py
datetime.py
decimal.py
difflib.py
dis.py bpo-43950: include position in dis.Instruction (GH-27015) 2021-07-04 12:05:05 -07:00
doctest.py
enum.py bpo-44929: [Enum] Fix global repr (GH-27789) 2021-08-25 07:24:32 -07:00
filecmp.py bpo-42958: Improve description of shallow= in filecmp.cmp docs (GH-27166) 2021-08-04 21:39:45 +02:00
fileinput.py
fnmatch.py bpo-42799: fnmatch module: bump up size of lru_cache for patterns (GH-27084) 2021-07-15 12:53:26 +02:00
fractions.py
ftplib.py
functools.py bpo-44605: Teach @total_ordering() to work with metaclasses (GH-27633) 2021-08-06 14:33:30 -05:00
genericpath.py
getopt.py
getpass.py
gettext.py
glob.py bpo-44482: Fix very unlikely resource leak in glob in non-CPython implementations (GH-26843) 2021-06-23 12:53:37 +03:00
graphlib.py
gzip.py bpo-44439: BZ2File.write() / LZMAFile.write() handle buffer protocol correctly (GH-26764) 2021-06-22 10:04:23 +03:00
hashlib.py
heapq.py
hmac.py
imaplib.py
imghdr.py bpo-44539: Support recognizing JPEG files without JFIF or Exif markers (GH-26964) 2021-07-20 20:56:57 +02:00
imp.py
inspect.py bpo-44648: Fix error type in inspect.getsource() in interactive session (GH-27171) 2021-07-30 19:17:46 +02:00
io.py
ipaddress.py
keyword.py
linecache.py
locale.py
lzma.py bpo-44439: BZ2File.write() / LZMAFile.write() handle buffer protocol correctly (GH-26764) 2021-06-22 10:04:23 +03:00
mailbox.py
mailcap.py
mimetypes.py bpo-44582: Accelerate mimetypes.init on Windows with a native accelerator (GH-27059) 2021-07-08 16:48:42 +01:00
modulefinder.py
netrc.py
nntplib.py
ntpath.py
nturl2path.py
numbers.py
opcode.py bpo-44889: Specialize LOAD_METHOD with PEP 659 adaptive interpreter (GH-27722) 2021-08-17 15:55:55 +01:00
operator.py bpo-44558: Match countOf is/== treatment to c (GH-27007) 2021-07-07 22:28:09 +09:00
optparse.py
os.py bpo-42053: Remove misleading check in os.fwalk() (GH-27669) 2021-08-08 21:04:02 +03:00
pathlib.py bpo-27827: identify a greater range of reserved filename on Windows. (GH-26698) 2021-07-28 16:28:14 +02:00
pdb.py bpo-44682: Handle invalid arg to pdb's "commands" directive (#27252) 2021-07-28 18:55:03 +02:00
pickle.py
pickletools.py
pipes.py Change type check to isinstance in pipes (GH-27291) 2021-07-28 15:38:06 +02:00
pkgutil.py
platform.py platform: Import subprocess in function. (GH-27610) 2021-08-05 14:04:01 +09:00
plistlib.py
poplib.py
posixpath.py bpo-26329: update os.path.normpath documentation (GH-20138) 2021-07-12 09:48:01 -03:00
pprint.py bpo-41546: make pprint (like print) not write to stdout when it is None (GH-26810) 2021-07-19 10:19:02 +01:00
profile.py
pstats.py
pty.py bpo-26228: [doc] Adapt PTY documentation updates from GH-4167 (GH-27754) 2021-08-13 12:57:07 +02:00
py_compile.py
pyclbr.py
pydoc.py bpo-44967: pydoc: return non-zero exit code when query is not found (GH-27868) 2021-08-26 14:22:02 +02:00
queue.py
quopri.py
random.py
re.py
reprlib.py
rlcompleter.py bpo-44752: refactor part of rlcompleter.Completer.attr_matches (GH-27433) 2021-07-29 16:01:21 +02:00
runpy.py
sched.py
secrets.py
selectors.py
shelve.py
shlex.py
shutil.py bpo-33671 fix orphaned comment in shutil.copyfileobj (GH-27516) 2021-07-31 15:15:45 -04:00
signal.py
site.py
smtpd.py bpo-44498: Issue a deprecation warning on asynchat, asyncore and smtpd import (#26882) 2021-06-24 12:37:26 -07:00
smtplib.py bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378) 2021-07-27 00:11:55 +02:00
sndhdr.py
socket.py
socketserver.py
sre_compile.py
sre_constants.py
sre_parse.py
ssl.py
stat.py
statistics.py
string.py
stringprep.py
struct.py
subprocess.py bpo-44935: enable posix_spawn() on Solaris (GH-27795) 2021-08-17 11:09:48 -07:00
sunau.py
symtable.py bpo-42355: symtable.get_namespace() now checks whether there are multiple or any namespaces found (GH-23278) 2021-07-18 15:56:09 +03:00
sysconfig.py Fix osx_framework_user include to match distutils (#27093) 2021-07-15 11:44:04 +02:00
tabnanny.py
tarfile.py
telnetlib.py Remove unnecessary pass statements (GH-27103) 2021-07-13 15:02:30 +02:00
tempfile.py
textwrap.py
this.py
threading.py bpo-44422: threading.Thread reuses the _delete() method (GH-26741) 2021-06-16 11:41:17 +02:00
timeit.py
token.py
tokenize.py Add tests for the C tokenizer and expose it as a private module (GH-27924) 2021-08-24 17:50:05 +01:00
trace.py
traceback.py bpo-43950: support some multi-line expressions for PEP 657 (GH-27339) 2021-07-25 15:01:44 -07:00
tracemalloc.py
tty.py
turtle.py Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
types.py bpo-44732: Rename types.Union to types.UnionType (#27342) 2021-07-26 18:00:21 +02:00
typing.py bpo-44524: Don't modify MRO when inheriting from typing.Annotated (GH-27841) 2021-08-25 21:13:59 +03:00
uu.py
uuid.py
warnings.py
wave.py
weakref.py Update URLs in comments and metadata to use HTTPS (GH-27458) 2021-07-30 15:54:46 +02:00
webbrowser.py bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378) 2021-07-27 00:11:55 +02:00
xdrlib.py
zipapp.py
zipfile.py bpo-44129: Add descriptive global variables for general purpose bit flags (GH-26118) 2021-07-03 17:37:57 +03:00
zipimport.py