classification
Title: smtplib mixes RFC821 and RFC822 addresses
Type: security Stage:
Components: Library (Lib) Versions:
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Manjusaka, daurnimator, epicfaace
Priority: normal Keywords:

Created on 2018-09-05 20:41 by daurnimator, last changed 2020-03-23 18:01 by Manjusaka.

Messages (4)
msg324653 - (view) Author: Daurnimator (daurnimator) Date: 2018-09-05 20:41
smtplib.sendmsg is documented to take RFC822 addresses. and e.g. if the `to_addrs` argument isn't provided then it gets the To address directly from the headers (which is in RFC822 form).

However it then proceeds to use it as an RFC821 address and sends it over the SMTP connection. https://github.com/python/cpython/blob/874809ea389e6434787e773a6054a08e0b81f734/Lib/smtplib.py#L542
msg364200 - (view) Author: Ashwin Ramaswami (epicfaace) * Date: 2020-03-14 21:57
What do you mean by "it then proceeds to use it as an RFC821 address"?
msg364220 - (view) Author: Daurnimator (daurnimator) Date: 2020-03-15 05:43
On Sun, 15 Mar 2020 at 08:58, Ashwin Ramaswami <report@bugs.python.org> wrote:
> What do you mean by "it then proceeds to use it as an RFC821 address"?

It writes it into an SMTP command as if it was an RFC821 address.
This is a problem because not all RFC822 addresses are valid RFC821 addresses.
msg364869 - (view) Author: Manjusaka (Manjusaka) * Date: 2020-03-23 18:01
> This is a problem because not all RFC822 addresses are valid RFC821 addresses.

Do you mean that we would add a verification before we send the command?
History
Date User Action Args
2020-03-23 18:01:04Manjusakasetnosy: + Manjusaka
messages: + msg364869
2020-03-15 05:43:27daurnimatorsetmessages: + msg364220
2020-03-14 21:57:54epicfaacesetnosy: + epicfaace
messages: + msg364200
2018-09-05 20:41:44daurnimatorcreate