@@ -87,7 +87,7 @@ of the new API.
8787 This method returns a list of 2-tuples of the form returned by ``parseaddr() ``.
8888 *fieldvalues * is a sequence of header field values as might be returned by
8989 :meth: `Message.get_all <email.message.Message.get_all> `. Here's a simple
90- example that gets all the recipients of a message::
90+ example that gets all the recipients of a message:
9191
9292 from email.utils import getaddresses
9393
@@ -97,6 +97,25 @@ of the new API.
9797 resent_ccs = msg.get_all('resent-cc', [])
9898 all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
9999
100+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '') ``
101+ is returned in its place. Other errors in parsing the list of
102+ addresses such as a fieldvalue seemingly parsing into multiple
103+ addresses may result in a list containing a single empty 2-tuple
104+ ``[('', '')] `` being returned rather than returning potentially
105+ invalid output.
106+
107+ Example malformed input parsing:
108+
109+ .. doctest ::
110+
111+ >>> from email.utils import getaddresses
112+ 113+ [('', '')]
114+
115+ .. versionchanged :: 3.12
116+ The 2-tuple of ``('', '') `` in the returned values when parsing
117+ fails were added as to address a security issue.
118+
100119
101120.. function :: parsedate(date)
102121
0 commit comments