Author xtreak
Recipients barry, bortzmeyer, cnicodeme, jwilk, kal.sze, msapiro, r.david.murray, vstinner, xtreak
Date 2019-04-19.10:28:43
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1555669723.29.0.0360237648429.issue34155@roundup.psfhosted.org>
In-reply-to
Content
Relevant attack from matrix blog post.

https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/

> sydent uses python's email.utils.parseaddr function to parse the input email address before sending validation mail to it, but it turns out that if you hand parseaddr an malformed email address of form a@b.com@c.com, it silently discards the @c.com prefix without error. The result of this is that if one requested a validation token for 'a@malicious.org@important.com', the token would be sent to 'a@malicious.org', but the address 'a@malicious.org@important.com' would be marked as validated. This release fixes this behaviour by asserting that the parsed email address is the same as the input email address.

I am marking this as a security issue.
History
Date User Action Args
2019-04-19 10:28:43xtreaksetrecipients: + xtreak, barry, vstinner, msapiro, jwilk, r.david.murray, kal.sze, cnicodeme, bortzmeyer
2019-04-19 10:28:43xtreaksetmessageid: <1555669723.29.0.0360237648429.issue34155@roundup.psfhosted.org>
2019-04-19 10:28:43xtreaklinkissue34155 messages
2019-04-19 10:28:43xtreakcreate