Author Dain Dwarf
Recipients Dain Dwarf, barry, bortzmeyer, cnicodeme, jpic, jwilk, kal.sze, msapiro, nicoe, r.david.murray, vstinner, xtreak
Date 2019-04-29.11:42:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org>
In-reply-to
Content
Hello, kind of new here.

I just wanted to note that the issue that lead to Tchap's security attack still exists in the non-deprecated message_from_string function:

email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses

(Address(display_name='', username='a', domain='malicious.org'),)

So, deprecating parseaddr is not enough for security purpose, unless there is another ticket for the new email API.
History
Date User Action Args
2019-04-29 11:42:55Dain Dwarfsetrecipients: + Dain Dwarf, barry, vstinner, msapiro, jwilk, r.david.murray, nicoe, kal.sze, xtreak, cnicodeme, bortzmeyer, jpic
2019-04-29 11:42:55Dain Dwarfsetmessageid: <1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org>
2019-04-29 11:42:55Dain Dwarflinkissue34155 messages
2019-04-29 11:42:55Dain Dwarfcreate