Message341069
Hello, kind of new here.
I just wanted to note that the issue that lead to Tchap's security attack still exists in the non-deprecated message_from_string function:
email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
(Address(display_name='', username='a', domain='malicious.org'),)
So, deprecating parseaddr is not enough for security purpose, unless there is another ticket for the new email API. |
|
Date |
User |
Action |
Args |
2019-04-29 11:42:55 | Dain Dwarf | set | recipients:
+ Dain Dwarf, barry, vstinner, msapiro, jwilk, r.david.murray, nicoe, kal.sze, xtreak, cnicodeme, bortzmeyer, jpic |
2019-04-29 11:42:55 | Dain Dwarf | set | messageid: <1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org> |
2019-04-29 11:42:55 | Dain Dwarf | link | issue34155 messages |
2019-04-29 11:42:55 | Dain Dwarf | create | |
|