gh-102988: Detect email address parsing errors and return empty tuple to indicate the parsing error (old API) by tdwyer · Pull Request #108250 · python/cpython

After some investigation, I confirmed that I was being too carful before. Only commas in double-quotes should be accounted for not commas in single-quotes nor commas with prefixed with a backslash

A comma in single-quotes and a comma prefixed by a backslash trigger the bug. However, a comma in double-quotes is parsed correctly. This is how all of those cases behave in:

Python 2.7.17
Python 3.6.9
Python 3.11.5

 s = "'ae.com,' <b@e.com>"
 parseaddr(s)
('', "'ae.com")
 getaddresses([s])
[('', "'ae.com"), ("'", 'b@e.com')]

 s = '"ae.com," <b@e.com>'
 getaddresses([s])
[('ae.com,', 'b@e.com')]
 parseaddr(s)
('ae.com,', 'b@e.com')

 s = 'ae.com\,<b@e.com>'
 parseaddr(s)
('', 'ae.com\\')
 getaddresses([s])
[('', 'ae.com\\'), ('', 'b@e.com')]

Additionally, somehow the fix for CVE-2019-16056 regarding alice@example.com <bob@example.com> seems to have been undone and is exploitable in:

Python 2.7.17
Python 3.6.9
Python 3.11.5

 getaddresses(['a@e.com <b@e.com>']) 
[('', 'a@e.com'), ('', 'b@e.com')]
  
 parseaddr('a@e.com <b@e.com>')                                         
('', 'a@e.com')
  
 parseaddr('a@e.com<b@e.com>')                                          
('', 'a@e.com')

So, this PR fixes both CVE-2019-16056 and CVE-2023-27043