Author r.david.murray
Recipients barry, christian.heimes, lukasz.langa, martin.ortner, miguendes, ned.deily, r.david.murray
Date 2021-07-13.16:01:30
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1626192091.41.0.712408882286.issue43124@roundup.psfhosted.org>
In-reply-to
Content
This bug report starts with "a malicious user with direct access to `smtplib.SMTP(..., local_hostname, ..)", which is a senseless supposition.  Anyone with "access to" the SMTP object could just as well be talking directly to the SMTP server and do anything they want that SMTP itself allows.

The concern here is that data a program might obtain *from unsanitized user input* could be used to do header injection.  The "proof of concept" does not address this at all.  We'd need to see a scenario under which data that could reasonably be derived from user input ends up being passed as arguments to an smtplib method that calls putcmd with arguments.

So, I would rate this as *very* low impact issue, unless someone has an *actual example* of code using smtplib that passes user input through to smtplib commands in an exploitable way.

That said, it is perfectly reasonable to be proactive here and prevent scenarios we haven't yet thought of, by doing as recommended (and a bit more) by raising a ValueError if 'args' in the putcmd call contain either \n or \r characters.  I don't think we need to check 'cmd', because I can't see any scenario in which the SMTP command would be derived from user input.  If you want to be *really* paranoid you could check cmd too, and since it will always be a short string the additional performance impact will be minor.
History
Date User Action Args
2021-07-13 16:01:31r.david.murraysetrecipients: + r.david.murray, barry, christian.heimes, ned.deily, lukasz.langa, martin.ortner, miguendes
2021-07-13 16:01:31r.david.murraysetmessageid: <1626192091.41.0.712408882286.issue43124@roundup.psfhosted.org>
2021-07-13 16:01:31r.david.murraylinkissue43124 messages
2021-07-13 16:01:30r.david.murraycreate