Skip to content

email.utils.formataddr does not reject CR and LF in address parts #150479

Open
Open
email.utils.formataddr does not reject CR and LF in address parts#150479
Labels
stdlibStandard Library Python modules in the Lib/ directorytopic-emailtype-featureA feature request or enhancement
@metsw24-max

Description

@metsw24-max
metsw24-max
opened on May 26, 2026

email.headerregistry.Address rejects CR and LF in its arguments (Lib/email/headerregistry.py), but the legacy email.utils.formataddr() passes them straight into the returned header string:

>>> from email.utils import formataddr
>>> formataddr(("Alice\r\nBcc: eve@example.com", "alice@example.com"))
'"Alice\r\nBcc: eve@example.com" <alice@example.com>'
>>> formataddr(("Alice", "alice@example.com\r\nSubject: spoofed"))
'Alice <alice@example.com\r\nSubject: spoofed>'

formataddr() is documented as producing a value suitable for a From/To/Cc header and is often used to build header strings directly, so it should reject CR/LF the same way Address does.

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    stdlibStandard Library Python modules in the Lib/ directorytopic-emailtype-featureA feature request or enhancement

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions