Skip to content

gh-145552: smtplib: quoteaddr() returns malformed address for input '<'#145553

Open
stefanzetzsche wants to merge 3 commits intopython:mainfrom
stefanzetzsche:fix/smtplib_quoteaddr_malformed
Open

gh-145552: smtplib: quoteaddr() returns malformed address for input '<'#145553
stefanzetzsche wants to merge 3 commits intopython:mainfrom
stefanzetzsche:fix/smtplib_quoteaddr_malformed

Conversation

@stefanzetzsche
Copy link

@stefanzetzsche stefanzetzsche commented Mar 5, 2026
edited by bedevere-app bot
Loading

Problem

quoteaddr() formats addresses for SMTP MAIL FROM: and RCPT TO: commands, which require angle-bracket format (<addr>). It first tries email.utils.parseaddr(); when that fails (for inputs like '<', '< ', '@'), a fallback path checks if the input starts with < and returns it verbatim — without verifying it also ends with >.

The fallback is intentionally lenient with unparseable input (the source comment reads "use it as is and hope for the best"), but a half-open < with no > produces structurally invalid SMTP commands.

Reproducer

from smtplib import quoteaddr
print(repr(quoteaddr('<')))   # '<' — missing closing >

Fix

In Lib/smtplib.py, in the fallback branch of quoteaddr, verify the string also ends with > before returning it. If not, append >:

if addrstring.strip().startswith('<'):
    if addrstring.strip().endswith('>'):
        return addrstring
    return addrstring.strip() + '>'

stefanzetzsche and others added 2 commits March 5, 2026 15:03
@stefanzetzsche
gh-XXXXX: Fix smtplib.quoteaddr() returning malformed address for '<'
fc8b6c8 
Input starting with '<' but missing closing '>' was returned verbatim.
Ensure the result always ends with '>'.
@stefanzetzsche
test(smtplib): Add tests for quoteaddr angle-bracket handling
660ee12 
Add testQuoteAddr for basic quoteaddr behavior and
testQuoteAddrMalformedAngleBracket for inputs starting with '<'
but missing closing '>'. The latter fails without the fix.
@bedevere-app
Copy link

bedevere-app bot commented Mar 5, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@python-cla-bot
Copy link

python-cla-bot bot commented Mar 5, 2026
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app bedevere-app bot mentioned this pull request Mar 5, 2026
Open
@stefanzetzsche stefanzetzsche marked this pull request as ready for review March 5, 2026 15:20
@stefanzetzsche stefanzetzsche requested a review from a team as a code owner March 5, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stefanzetzsche