Description
In #21018, it was noted that parentheses in display names were rejected, which
resulted in a confusing error.
The solution was to introduce a behavior which diverged relatively significantly
from RFC 5322 in CL50911, allowing special reserved characters to appear in the
"atom" syntax, where they are disallowed by the specification.
One of the consequences of this change was that we introduced non-compliant
handling of comments (text within parentheses) within display names. Parsing
Hello (comment) there <[email protected]> should result in a display name of
Hello there, but because we (a) allow special characters (in this case parentheses)
in the "atom" syntax and (b) don't properly handle comments in display names, we
parse a name of Hello (comment) there which is clearly non-conformant.
I believe we should revert CL50911, rather than just removing parentheses from
the allowed set of specials, since it's unclear why this was done to begin with,
and there is no evidence this is useful or needed.
We should additionally support the obs-phrase syntax in dispaly names, which
permit comments, and properly handle them.
Becuase this introduces a parser misalignment, which could plausibly result in
different trust decisions being made by programs using different parsers, we're
considering this a PUBLIC track security issue (per the Go Security Policy).
Thanks to Juho Nurminen of Mattermost for reporting this issue, and @Slonser for
also independently reporting this issue.