Message 341069 - Python tracker

Message341069

Author	Dain Dwarf
Recipients	Dain Dwarf, barry, bortzmeyer, cnicodeme, jpic, jwilk, kal.sze, msapiro, nicoe, r.david.murray, vstinner, xtreak
Date	2019-04-29.11:42:55
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org>
In-reply-to

Content
Hello, kind of new here. I just wanted to note that the issue that lead to Tchap's security attack still exists in the non-deprecated message_from_string function: email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='a', domain='malicious.org'),) So, deprecating parseaddr is not enough for security purpose, unless there is another ticket for the new email API.

Content

Hello, kind of new here.

I just wanted to note that the issue that lead to Tchap's security attack still exists in the non-deprecated message_from_string function:

email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses

(Address(display_name='', username='a', domain='malicious.org'),)

So, deprecating parseaddr is not enough for security purpose, unless there is another ticket for the new email API.

History
Date	User	Action	Args
2019-04-29 11:42:55	Dain Dwarf	set	recipients: + Dain Dwarf, barry, vstinner, msapiro, jwilk, r.david.murray, nicoe, kal.sze, xtreak, cnicodeme, bortzmeyer, jpic
2019-04-29 11:42:55	Dain Dwarf	set	messageid: <1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org>
2019-04-29 11:42:55	Dain Dwarf	link	issue34155 messages
2019-04-29 11:42:55	Dain Dwarf	create