This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Dain Dwarf
Recipients Dain Dwarf, barry, bortzmeyer, cnicodeme, jpic, jwilk, kal.sze, msapiro, nicoe, r.david.murray, vstinner, xtreak
Date 2019-04-29.11:42:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org>
In-reply-to
Content
Hello, kind of new here.

I just wanted to note that the issue that lead to Tchap's security attack still exists in the non-deprecated message_from_string function:

email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses

(Address(display_name='', username='a', domain='malicious.org'),)

So, deprecating parseaddr is not enough for security purpose, unless there is another ticket for the new email API.
History
Date User Action Args
2019-04-29 11:42:55Dain Dwarfsetrecipients: + Dain Dwarf, barry, vstinner, msapiro, jwilk, r.david.murray, nicoe, kal.sze, xtreak, cnicodeme, bortzmeyer, jpic
2019-04-29 11:42:55Dain Dwarfsetmessageid: <1556538175.74.0.40856090897.issue34155@roundup.psfhosted.org>
2019-04-29 11:42:55Dain Dwarflinkissue34155 messages
2019-04-29 11:42:55Dain Dwarfcreate