Skip to content

gh-152519: fix(email): don't decode RFC 2047 encoded-words in addr-spec local-parts#152520

Closed
muhamedfazalps wants to merge 2 commits into
python:mainfrom
muhamedfazalps:fix/encoded-word-addr-spec
Closed

gh-152519: fix(email): don't decode RFC 2047 encoded-words in addr-spec local-parts#152520
muhamedfazalps wants to merge 2 commits into
python:mainfrom
muhamedfazalps:fix/encoded-word-addr-spec

Conversation

@muhamedfazalps

@muhamedfazalps muhamedfazalps commented Jun 28, 2026

Copy link
Copy Markdown

Summary

RFC 2047 §5 forbids encoded-words in addr-spec. The current parser decodes them anyway via get_dot_atom(), corrupting address parsing when the decoded text contains address-special characters (e.g. =40 decodes to @).

Root Cause

get_dot_atom() unconditionally decodes any =? prefix as an RFC 2047 encoded-word. When called from get_local_part() (which is called from get_addr_spec()), this violates RFC 2047 §5 and corrupts the parsed address.

Fix

Add ew_allowed parameter to get_dot_atom() (default True for backward compatibility). Pass ew_allowed=False when parsing local-parts inside addr-spec to prevent encoded-word decoding.

Testing

Verified with the reproducer from the issue:

  • Encoded word in normal dot_atom context: correctly decoded
  • Encoded word in addr-spec local-part: NOT decoded, defect reported
  • Normal addresses: work as before

Fixes #152519


If this helps, consider buying me a coffee! https://buymeacoffee.com/muhamedfazalps

RFC 2047 §5 forbids encoded-words in addr-spec. The current parser
decodes them anyway via get_dot_atom(), corrupting address parsing
when the decoded text contains address-special characters like '@'.

Fix: add ew_allowed parameter to get_dot_atom() (default True for
backward compatibility). Pass ew_allowed=False when parsing local-parts
inside addr-spec to prevent encoded-word decoding.

Fixes python#152519
@muhamedfazalps muhamedfazalps requested a review from a team as a code owner June 28, 2026 18:52
@bedevere-app

bedevere-app Bot commented Jun 28, 2026

Copy link
Copy Markdown

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@python-cla-bot

python-cla-bot Bot commented Jun 28, 2026

Copy link
Copy Markdown

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app

bedevere-app Bot commented Jun 28, 2026

Copy link
Copy Markdown

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

email: RFC 2047 encoded-word in an addr-spec local-part corrupts address parsing

2 participants