Address review comments

medmunds · medmunds · commit 69264749d46d · 2025-01-18T13:27:43.000-08:00
diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
@@ -96,13 +96,13 @@
 SPECIALSNL = SPECIALS | NLSET
 
 
-def escape_for_quotes(value):
+def make_quoted_pairs(value):
     """Escape dquote and backslash for use within a quoted-string."""
     return str(value).replace('\\', '\\\\').replace('"', '\\"')
 
 
 def quote_string(value):
-    escaped = escape_for_quotes(value)
+    escaped = make_quoted_pairs(value)
     return f'"{escaped}"'
 
 
@@ -2914,13 +2914,14 @@ def _refold_parse_tree(parse_tree, *, policy):
             # It's not a terminal, try folding the subparts.
             newparts = list(part)
             if part.token_type == 'bare-quoted-string':
-                # Restore the quotes and escape contents.
-                dquote = ValueTerminal('"', 'ptext')
+                # To fold a quoted string we need to create a list of terminal
+                # tokens that will render the leading and trailing quotes
+                # and use quoted pairs in the value as appropriate.
                 newparts = (
-                    [dquote] +
-                    [ValueTerminal(escape_for_quotes(p), 'ptext')
+                    [ValueTerminal('"', 'ptext')] +
+                    [ValueTerminal(make_quoted_pairs(p), 'ptext')
                      for p in newparts] +
-                    [dquote])
+                    [ValueTerminal('"', 'ptext')])
             if not part.as_ew_allowed:
                 wrap_as_ew_blocked += 1
                 newparts.append(end_ew_not_allowed)
diff --git a/Misc/NEWS.d/next/Security/2024-08-06-11-43-08.gh-issue-80222.wfR4BU.rst b/Misc/NEWS.d/next/Security/2024-08-06-11-43-08.gh-issue-80222.wfR4BU.rst
@@ -1,3 +1,6 @@
-Fix a problem where email.policy.default header refolding could incorrectly
-omit quotes from structured email headers, enabling sender or recipient
-spoofing via a carefully crafted display-name.
+Fix bug in the folding of quoted strings when flattening an email message using
+a modern email policy. Previously when a quoted string was folded so that
+it spanned more than one line, the surrounding quotes and internal escapes
+would be omitted. This could theoretically be used to spoof header lines
+using a carefully constructed quoted string if the resulting rendered email
+was transmitted or re-parsed.
