[3.10] gh-80222: Fix email address header folding with long quoted-string (GH-122753)

[bitdancer]

Email generators using email.policy.default could incorrectly omit the
quote ('"') characters from a quoted-string during header refolding,
leading to invalid address headers and enabling header spoofing. This
change restores the quote characters on a bare-quoted-string as the
header is refolded, and escapes backslash and quote chars in the string.
(cherry picked from commit 5aaf416)

Co-authored-by: Mike Edmunds [email protected]

• Issue: email: folding of quoted string in display_name violates RFC #80222

[hugovk]

@bitdancer The CI is failing for test_email, please could you check it?

[terryjreedy]

bitdancer is no longer active. @python/email-team Security backport is pending fix of failing test.

[medmunds]

The failing test_address_list_with_list_separator_after_fold was added in 3.11 by PRs #100885 and #119099 as a fix for gh-100884 (and regression gh-118643). The test case is being pulled into 3.10 by this backport, but without the corresponding fix.

gh-100884 has similar security implications to the original issue here, but was not identified as a security issue at the time. (It's also effectively the inverse issue of gh-121284.)

[bitdancer]

@terryjreedy Actually I'm becoming active again, but I'm still ramping back up. I'm still learning about the current way backports are done, and it has taken me a while to get back to this.

[bitdancer]

Tests are passing now.

[bedevere-app]

GH-132371 is a backport of this pull request to the 3.9 branch.

[terryjreedy]

@bitdancer Good to see you back ;-). Are you aware of core-dev discord?

[bitdancer]

@terryjreedy Aware, yes, but I haven't gotten around to trying to figure out how to access it ;)

[terryjreedy]

Once you have an account, I believe you need an invite from an admin. @hugovk @ambv ?

[hugovk]

@bitdancer I've sent an invite to the email on your profile. Welcome!