Message340535
Relevant attack from matrix blog post.
https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/
> sydent uses python's email.utils.parseaddr function to parse the input email address before sending validation mail to it, but it turns out that if you hand parseaddr an malformed email address of form a@b.com@c.com, it silently discards the @c.com prefix without error. The result of this is that if one requested a validation token for 'a@malicious.org@important.com', the token would be sent to 'a@malicious.org', but the address 'a@malicious.org@important.com' would be marked as validated. This release fixes this behaviour by asserting that the parsed email address is the same as the input email address.
I am marking this as a security issue. |
|
Date |
User |
Action |
Args |
2019-04-19 10:28:43 | xtreak | set | recipients:
+ xtreak, barry, vstinner, msapiro, jwilk, r.david.murray, kal.sze, cnicodeme, bortzmeyer |
2019-04-19 10:28:43 | xtreak | set | messageid: <1555669723.29.0.0360237648429.issue34155@roundup.psfhosted.org> |
2019-04-19 10:28:43 | xtreak | link | issue34155 messages |
2019-04-19 10:28:43 | xtreak | create | |
|