Message397433
> This bug report starts with "a malicious user with direct access to `smtplib.SMTP(..., local_hostname, ..)", which is a senseless supposition. Anyone with "access to" the SMTP object could just as well be talking directly to the SMTP server and do anything they want that SMTP itself allows.
Let's not argue about the phrasing and settle on the fact that I am not a native English speaker which might be the root cause of the confusion. The core of the issue is that this *unexpected side-effect* may be security-relevant. Fixing it probably takes less time than arguing about phrasing, severity, or spending time describing exploitation scenarios for a general-purpose library that should protect the underlying protocol from injections.
Be kind, I come in peace. |
|
Date |
User |
Action |
Args |
2021-07-13 17:36:33 | martin.ortner | set | recipients:
+ martin.ortner, barry, christian.heimes, ned.deily, r.david.murray, lukasz.langa, miguendes |
2021-07-13 17:36:33 | martin.ortner | set | messageid: <1626197793.35.0.538596059645.issue43124@roundup.psfhosted.org> |
2021-07-13 17:36:33 | martin.ortner | link | issue43124 messages |
2021-07-13 17:36:32 | martin.ortner | create | |
|