.. _email-parseaddr-domain:

email.utils.parseaddr mistakenly parse an email
===============================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2019-16056>`_.

email.utils.parseaddr wrongly parse the From field of an email.

``email.utils.parseaddr('John Doe jdoe@example.com <other@example.net>')``
returns ``('', 'John Doe jdoe@example.com')``, whereas it should return
``('John Doe jdoe@example.com', 'other@example.net')``.

Dates:

* Disclosure date: **2018-07-19** (Python issue bpo-34155 reported)

Fixed In
--------

* Python **2.7.17** (2019-10-19) fixed by `commit 4cbcd2f (branch 2.7) <https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e>`_ (2019-09-14)
* Python **3.5.8** (2019-10-29) fixed by `commit 063eba2 (branch 3.5) <https://github.com/python/cpython/commit/063eba280a11d3c9a5dd9ee5abe4de640907951b>`_ (2019-09-07)
* Python **3.6.10** (2019-12-18) fixed by `commit 13a1913 (branch 3.6) <https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9>`_ (2019-08-09)
* Python **3.7.5** (2019-10-14) fixed by `commit c48d606 (branch 3.7) <https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8>`_ (2019-08-09)
* Python **3.8.0** (2019-10-14) fixed by `commit 2170774 (branch 3.8) <https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c>`_ (2019-08-09)

Python issue
------------

[CVE-2019-16056] email.utils.parseaddr mistakenly parse an email.

* Python issue: `bpo-34155 <https://bugs.python.org/issue34155>`_
* Creation date: 2018-07-19
* Reporter: Cyril Nicodème

CVE-2019-16056
--------------

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

* CVE ID: `CVE-2019-16056 <https://nvd.nist.gov/vuln/detail/CVE-2019-16056/>`_
* Published: 2019-09-06
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2018-07-19** as reference:

* 2018-07-19: `Python issue bpo-34155 <https://bugs.python.org/issue34155>`_ reported by Cyril Nicodème
* 2019-08-09 (**+386 days**): `commit 13a1913 (branch 3.6) <https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9>`_
* 2019-08-09 (**+386 days**): `commit 2170774 (branch 3.8) <https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c>`_
* 2019-08-09 (**+386 days**): `commit c48d606 (branch 3.7) <https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8>`_
* 2019-09-06 (**+414 days**): CVE-2019-16056 published
* 2019-09-07 (**+415 days**): `commit 063eba2 (branch 3.5) <https://github.com/python/cpython/commit/063eba280a11d3c9a5dd9ee5abe4de640907951b>`_
* 2019-09-14 (**+422 days**): `commit 4cbcd2f (branch 2.7) <https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e>`_
* 2019-10-14: Python 3.8.0 released
* 2019-10-14 (**+452 days**): Python 3.7.5 released
* 2019-10-19 (**+457 days**): Python 2.7.17 released
* 2019-10-29 (**+467 days**): Python 3.5.8 released
* 2019-12-18 (**+517 days**): Python 3.6.10 released

Links
-----

* https://medium.com/@fs0c131y/tchap-the-super-not-secure-app-of-the-french-government-84b31517d144
* https://twitter.com/fs0c131y/status/1119143946687434753