Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python for openSUSE:Factory checked
in at 2024-04-25 20:47:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new.1880 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Thu Apr 25 20:47:30 2024 rev:194 rq:1169941 version:2.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2024-03-19
17:29:26.513489595 +0100
+++ /work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes
2024-04-25 20:47:30.798403052 +0200
@@ -1,0 +2,9 @@
+Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl <mc...@cepl.eu>
+
+- Modify CVE-2023-27043-email-parsing-errors.patch to fix the
+ unicode string handling in email.utils.parseaddr()
+ (bsc#1222537).
+- Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was
+ unneeded.
+
+-------------------------------------------------------------------
python-doc.changes: same change
python.changes: same change
Old:
----
CVE-2022-48560-after-free-heappushpop.patch
BETA DEBUG BEGIN:
Old:/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes-
(bsc#1222537).
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes:- Revert
CVE-2022-48560-after-free-heappushpop.patch, the fix was
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes- unneeded.
--
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- (bsc#1222537).
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes:- Revert
CVE-2022-48560-after-free-heappushpop.patch, the fix was
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- unneeded.
--
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- (bsc#1222537).
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes:- Revert
CVE-2022-48560-after-free-heappushpop.patch, the fix was
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- unneeded.
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.7FFiTt/_old 2024-04-25 20:47:33.846514975 +0200
+++ /var/tmp/diff_new_pack.7FFiTt/_new 2024-04-25 20:47:33.850515122 +0200
@@ -19,7 +19,7 @@
%define so_version 2_7-1_0
# We really don't care about quality of this package anymore, it
# will be soon gone (bsc#1219306).
-%bcond_with tests
+%bcond_with test
Name: python-base
Version: 2.7.18
@@ -154,7 +154,8 @@
Patch76: PygmentsBridge-trime_doctest_flags.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
+# indicate the parsing error (old API), modified for fixing bsc#1222537,
+# so that email.utils.parseaddr accepts unicode string
Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685
mc...@suse.com
# Reject entity declarations in plists
@@ -164,9 +165,6 @@
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
-# PATCH-FIX-UPSTREAM CVE-2022-48560-after-free-heappushpop.patch bsc#1214675
mc...@suse.com
-# fix use after free in heapq.heappushpop()
-Patch81: CVE-2022-48560-after-free-heappushpop.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -323,7 +321,6 @@
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
-%patch -P 81 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
@@ -431,8 +428,8 @@
# use network, be verbose:
#make test TESTOPTS="-l -u network -v"
%endif
-# END OF CHECK SECTION
%endif
+# END OF CHECK SECTION
%install
# replace rest of /usr/local/bin/python or /usr/bin/python2.5 with
/usr/bin/python
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.7FFiTt/_old 2024-04-25 20:47:33.894516738 +0200
+++ /var/tmp/diff_new_pack.7FFiTt/_new 2024-04-25 20:47:33.898516885 +0200
@@ -150,7 +150,8 @@
Patch76: PygmentsBridge-trime_doctest_flags.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
+# indicate the parsing error (old API), modified for fixing bsc#1222537,
+# so that email.utils.parseaddr accepts unicode string
Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685
mc...@suse.com
# Reject entity declarations in plists
@@ -160,9 +161,6 @@
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
-# PATCH-FIX-UPSTREAM CVE-2022-48560-after-free-heappushpop.patch bsc#1214675
mc...@suse.com
-# fix use after free in heapq.heappushpop()
-Patch81: CVE-2022-48560-after-free-heappushpop.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@@ -254,7 +252,6 @@
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
-%patch -P 81 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.7FFiTt/_old 2024-04-25 20:47:33.942518501 +0200
+++ /var/tmp/diff_new_pack.7FFiTt/_new 2024-04-25 20:47:33.942518501 +0200
@@ -150,7 +150,8 @@
Patch76: PygmentsBridge-trime_doctest_flags.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
+# indicate the parsing error (old API), modified for fixing bsc#1222537,
+# so that email.utils.parseaddr accepts unicode string
Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685
mc...@suse.com
# Reject entity declarations in plists
@@ -160,9 +161,6 @@
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
-# PATCH-FIX-UPSTREAM CVE-2022-48560-after-free-heappushpop.patch bsc#1214675
mc...@suse.com
-# fix use after free in heapq.heappushpop()
-Patch81: CVE-2022-48560-after-free-heappushpop.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -374,7 +372,6 @@
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
-%patch -P 81 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ CVE-2023-27043-email-parsing-errors.patch ++++++
--- /var/tmp/diff_new_pack.7FFiTt/_old 2024-04-25 20:47:34.062522907 +0200
+++ /var/tmp/diff_new_pack.7FFiTt/_new 2024-04-25 20:47:34.066523054 +0200
@@ -1,14 +1,13 @@
---
- Doc/library/email.utils.rst |
19 -
- Lib/email/utils.py |
151 +++++++-
- Lib/test/test_email/test_email.py |
187 +++++++++-
+ Doc/library/email.utils.rst |
19
+ Lib/email/test/test_email.py |
192 +++++++++-
+ Lib/email/test/test_email_renamed.py |
50 ++
+ Lib/email/utils.py |
155 +++++++-
Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst |
8
- 4 files changed, 344 insertions(+), 21 deletions(-)
+ 5 files changed, 393 insertions(+), 31 deletions(-)
-Index: Python-2.7.18/Doc/library/email.utils.rst
-===================================================================
---- Python-2.7.18.orig/Doc/library/email.utils.rst
-+++ Python-2.7.18/Doc/library/email.utils.rst
+--- a/Doc/library/email.utils.rst
++++ b/Doc/library/email.utils.rst
@@ -21,13 +21,18 @@ There are several useful utilities provi
begins with angle brackets, they are stripped off.
@@ -58,213 +57,14 @@
.. function:: parsedate(date)
-Index: Python-2.7.18/Lib/email/utils.py
-===================================================================
---- Python-2.7.18.orig/Lib/email/utils.py
-+++ Python-2.7.18/Lib/email/utils.py
-@@ -100,15 +100,93 @@ def formataddr(pair):
- return address
-
-
--�
--def getaddresses(fieldvalues):
-- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
-- all = COMMASPACE.join(fieldvalues)
-- a = _AddressList(all)
-- return a.addresslist
-+def _iter_escaped_chars(addr):
-+ pos = 0
-+ escape = False
-+ for pos, ch in enumerate(addr):
-+ if escape:
-+ yield (pos, '\\' + ch)
-+ escape = False
-+ elif ch == '\\':
-+ escape = True
-+ else:
-+ yield (pos, ch)
-+ if escape:
-+ yield (pos, '\\')
-+
-+
-+def _strip_quoted_realnames(addr):
-+ """Strip real names between quotes."""
-+ if '"' not in addr:
-+ # Fast path
-+ return addr
-+
-+ start = 0
-+ open_pos = None
-+ result = []
-+ for pos, ch in _iter_escaped_chars(addr):
-+ if ch == '"':
-+ if open_pos is None:
-+ open_pos = pos
-+ else:
-+ if start != open_pos:
-+ result.append(addr[start:open_pos])
-+ start = pos + 1
-+ open_pos = None
-+
-+ if start < len(addr):
-+ result.append(addr[start:])
-+
-+ return ''.join(result)
-+
-+
-+supports_strict_parsing = True
-+
-+def getaddresses(fieldvalues, strict=True):
-+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-+
-+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-+ its place.
-+
-+ If strict is true, use a strict parser which rejects malformed inputs.
-+ """
-+
-+ # If strict is true, if the resulting list of parsed addresses is greater
-+ # than the number of fieldvalues in the input list, a parsing error has
-+ # occurred and consequently a list containing a single empty 2-tuple [('',
-+ # '')] is returned in its place. This is done to avoid invalid output.
-+ #
-+ # Malformed input: getaddresses(['al...@example.com <b...@example.com>'])
-+ # Invalid output: [('', 'al...@example.com'), ('', 'b...@example.com')]
-+ # Safe output: [('', '')]
-+
-+ if not strict:
-+ all = COMMASPACE.join(unicode(v) for v in fieldvalues)
-+ a = _AddressList(all)
-+ return a.addresslist
-+
-+ fieldvalues = [unicode(v) for v in fieldvalues]
-+ fieldvalues = _pre_parse_validation(fieldvalues)
-+ addr = COMMASPACE.join(fieldvalues)
-+ a = _AddressList(addr)
-+ result = _post_parse_validation(a.addresslist)
-+
-+ # Treat output as invalid if the number of addresses is not equal to the
-+ # expected number of addresses.
-+ n = 0
-+ for v in fieldvalues:
-+ # When a comma is used in the Real Name part it is not a deliminator.
-+ # So strip those out before counting the commas.
-+ v = _strip_quoted_realnames(v)
-+ # Expected number of addresses: 1 + number of commas
-+ n += 1 + v.count(',')
-+ if len(result) != n:
-+ return [('', '')]
-+
-+ return result
-+
-
-
--�
- ecre = re.compile(r'''
- =\? # literal =?
- (?P<charset>[^?]*?) # non-greedy up to the next ? is the charset
-@@ -210,19 +288,74 @@ def parsedate_tz(data):
- return _parsedate_tz(data)
-
-
--def parseaddr(addr):
-+def parseaddr(addr, strict=True):
- """
- Parse addr into its constituent realname and email address parts.
-
- Return a tuple of realname and email address, unless the parse fails, in
- which case return a 2-tuple of ('', '').
-+
-+ If strict is True, use a strict parser which rejects malformed inputs.
- """
-- addrs = _AddressList(addr).addresslist
-- if not addrs:
-- return '', ''
-+
-+ if not strict:
-+ addrs = _AddressList(addr).addresslist
-+ if not addrs:
-+ return ('', '')
-+ return addrs[0]
-+
-+ if isinstance(addr, list):
-+ addr = addr[0]
-+
-+ if not isinstance(addr, str):
-+ return ('', '')
-+
-+ addr = _pre_parse_validation([addr])[0]
-+ addrs = _post_parse_validation(_AddressList(addr).addresslist)
-+
-+ if not addrs or len(addrs) > 1:
-+ return ('', '')
-+
- return addrs[0]
-
-
-+def _check_parenthesis(addr):
-+ # Ignore parenthesis in quoted real names.
-+ addr = _strip_quoted_realnames(addr)
-+
-+ opens = 0
-+ for pos, ch in _iter_escaped_chars(addr):
-+ if ch == '(':
-+ opens += 1
-+ elif ch == ')':
-+ opens -= 1
-+ if opens < 0:
-+ return False
-+ return (opens == 0)
-+
-+
-+def _pre_parse_validation(email_header_fields):
-+ accepted_values = []
-+ for v in email_header_fields:
-+ if not _check_parenthesis(v):
-+ v = "('', '')"
-+ accepted_values.append(v)
-+
-+ return accepted_values
-+
-+
-+def _post_parse_validation(parsed_email_header_tuples):
-+ accepted_values = []
-+ # The parser would have parsed a correctly formatted domain-literal
-+ # The existence of an [ after parsing indicates a parsing failure
-+ for v in parsed_email_header_tuples:
-+ if '[' in v[1]:
-+ v = ('', '')
-+ accepted_values.append(v)
-+
-+ return accepted_values
-+
-+
- # rfc822.unquote() doesn't properly de-backslash-ify in Python pre-2.3.
- def unquote(str):
- """Remove quotes from a string."""
-Index:
Python-2.7.18/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-===================================================================
---- /dev/null
-+++
Python-2.7.18/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-@@ -0,0 +1,8 @@
-+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-+return ``('', '')`` 2-tuples in more situations where invalid email
-+addresses are encountered instead of potentially inaccurate values. Add
-+optional *strict* parameter to these two functions: use ``strict=False`` to
-+get the old behavior, accept malformed inputs.
-+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-+Stinner to improve the CVE-2023-27043 fix.
-Index: Python-2.7.18/Lib/email/test/test_email.py
-===================================================================
---- Python-2.7.18.orig/Lib/email/test/test_email.py
-+++ Python-2.7.18/Lib/email/test/test_email.py
+--- a/Lib/email/test/test_email.py
++++ b/Lib/email/test/test_email.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
# Copyright (C) 2001-2010 Python Software Foundation
# Contact: email-...@python.org
# email package unit tests
-@@ -2414,15 +2415,135 @@ Foo
+@@ -2414,15 +2415,142 @@ Foo
[('Al Person', 'aper...@dom.ain'),
('Bud Person', 'bper...@dom.ain')])
@@ -355,6 +155,13 @@
+ # Test Utils.supports_strict_parsing attribute
+ self.assertEqual(Utils.supports_strict_parsing, True)
+
++ def test_parsing_unicode_str(self):
++ email_in = "Honza Novák <ho...@example.com>"
++ self.assertEqual(Utils.parseaddr("Honza str Novák
<ho...@example.com>"),
++ ('Honza str Nov\xc3\xa1k', 'ho...@example.com'))
++ self.assertEqual(Utils.parseaddr(u"Honza unicode Novák
<ho...@example.com>"),
++ (u'Honza unicode Nov\xe1k', u'ho...@example.com'))
++
def test_getaddresses_nasty(self):
- eq = self.assertEqual
- eq(Utils.getaddresses(['foo: ;']), [('', '')])
@@ -408,7 +215,7 @@
def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment"""
-@@ -2430,6 +2551,54 @@ Foo
+@@ -2430,6 +2558,54 @@ Foo
addrs = Utils.getaddresses(['User ((nested comment)) <f...@bar.com>'])
eq(addrs[0][1], 'f...@bar.com')
@@ -463,10 +270,8 @@
def test_make_msgid_collisions(self):
# Test make_msgid uniqueness, even with multiple threads
class MsgidsThread(Thread):
-Index: Python-2.7.18/Lib/email/test/test_email_renamed.py
-===================================================================
---- Python-2.7.18.orig/Lib/email/test/test_email_renamed.py
-+++ Python-2.7.18/Lib/email/test/test_email_renamed.py
+--- a/Lib/email/test/test_email_renamed.py
++++ b/Lib/email/test/test_email_renamed.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
# Copyright (C) 2001-2007 Python Software Foundation
@@ -528,4 +333,197 @@
def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment"""
+--- a/Lib/email/utils.py
++++ b/Lib/email/utils.py
+@@ -100,15 +100,93 @@ def formataddr(pair):
+ return address
+
+
+-�
+-def getaddresses(fieldvalues):
+- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+- all = COMMASPACE.join(fieldvalues)
+- a = _AddressList(all)
+- return a.addresslist
++def _iter_escaped_chars(addr):
++ pos = 0
++ escape = False
++ for pos, ch in enumerate(addr):
++ if escape:
++ yield (pos, '\\' + ch)
++ escape = False
++ elif ch == '\\':
++ escape = True
++ else:
++ yield (pos, ch)
++ if escape:
++ yield (pos, '\\')
++
++
++def _strip_quoted_realnames(addr):
++ """Strip real names between quotes."""
++ if '"' not in addr:
++ # Fast path
++ return addr
++
++ start = 0
++ open_pos = None
++ result = []
++ for pos, ch in _iter_escaped_chars(addr):
++ if ch == '"':
++ if open_pos is None:
++ open_pos = pos
++ else:
++ if start != open_pos:
++ result.append(addr[start:open_pos])
++ start = pos + 1
++ open_pos = None
++
++ if start < len(addr):
++ result.append(addr[start:])
++
++ return ''.join(result)
++
++
++supports_strict_parsing = True
++
++def getaddresses(fieldvalues, strict=True):
++ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
++
++ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
++ its place.
++
++ If strict is true, use a strict parser which rejects malformed inputs.
++ """
++
++ # If strict is true, if the resulting list of parsed addresses is greater
++ # than the number of fieldvalues in the input list, a parsing error has
++ # occurred and consequently a list containing a single empty 2-tuple [('',
++ # '')] is returned in its place. This is done to avoid invalid output.
++ #
++ # Malformed input: getaddresses(['al...@example.com <b...@example.com>'])
++ # Invalid output: [('', 'al...@example.com'), ('', 'b...@example.com')]
++ # Safe output: [('', '')]
++
++ if not strict:
++ all = COMMASPACE.join(unicode(v) for v in fieldvalues)
++ a = _AddressList(all)
++ return a.addresslist
++
++ fieldvalues = [unicode(v) for v in fieldvalues]
++ fieldvalues = _pre_parse_validation(fieldvalues)
++ addr = COMMASPACE.join(fieldvalues)
++ a = _AddressList(addr)
++ result = _post_parse_validation(a.addresslist)
++
++ # Treat output as invalid if the number of addresses is not equal to the
++ # expected number of addresses.
++ n = 0
++ for v in fieldvalues:
++ # When a comma is used in the Real Name part it is not a deliminator.
++ # So strip those out before counting the commas.
++ v = _strip_quoted_realnames(v)
++ # Expected number of addresses: 1 + number of commas
++ n += 1 + v.count(',')
++ if len(result) != n:
++ return [('', '')]
++
++ return result
++
+
+
+-�
+ ecre = re.compile(r'''
+ =\? # literal =?
+ (?P<charset>[^?]*?) # non-greedy up to the next ? is the charset
+@@ -210,19 +288,74 @@ def parsedate_tz(data):
+ return _parsedate_tz(data)
+
+
+-def parseaddr(addr):
++def parseaddr(addr, strict=True):
+ """
+ Parse addr into its constituent realname and email address parts.
+
+ Return a tuple of realname and email address, unless the parse fails, in
+ which case return a 2-tuple of ('', '').
++
++ If strict is True, use a strict parser which rejects malformed inputs.
+ """
+- addrs = _AddressList(addr).addresslist
+- if not addrs:
+- return '', ''
++
++ if not strict:
++ addrs = _AddressList(addr).addresslist
++ if not addrs:
++ return ('', '')
++ return addrs[0]
++
++ if isinstance(addr, list):
++ addr = addr[0]
++
++ if not isinstance(addr, basestring):
++ return ('', '')
++
++ addr = _pre_parse_validation([addr])[0]
++ addrs = _post_parse_validation(_AddressList(addr).addresslist)
++
++ if not addrs or len(addrs) > 1:
++ return ('', '')
++
+ return addrs[0]
+
+
++def _check_parenthesis(addr):
++ # Ignore parenthesis in quoted real names.
++ addr = _strip_quoted_realnames(addr)
++
++ opens = 0
++ for pos, ch in _iter_escaped_chars(addr):
++ if ch == '(':
++ opens += 1
++ elif ch == ')':
++ opens -= 1
++ if opens < 0:
++ return False
++ return (opens == 0)
++
++
++def _pre_parse_validation(email_header_fields):
++ accepted_values = []
++ for v in email_header_fields:
++ if not _check_parenthesis(v):
++ v = "('', '')"
++ accepted_values.append(v)
++
++ return accepted_values
++
++
++def _post_parse_validation(parsed_email_header_tuples):
++ accepted_values = []
++ # The parser would have parsed a correctly formatted domain-literal
++ # The existence of an [ after parsing indicates a parsing failure
++ for v in parsed_email_header_tuples:
++ if '[' in v[1]:
++ v = ('', '')
++ accepted_values.append(v)
++
++ return accepted_values
++
++
+ # rfc822.unquote() doesn't properly de-backslash-ify in Python pre-2.3.
+ def unquote(str):
+ """Remove quotes from a string."""
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+@@ -0,0 +1,8 @@
++:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
++return ``('', '')`` 2-tuples in more situations where invalid email
++addresses are encountered instead of potentially inaccurate values. Add
++optional *strict* parameter to these two functions: use ``strict=False`` to
++get the old behavior, accept malformed inputs.
++``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
++if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
++Stinner to improve the CVE-2023-27043 fix.
