[issue20770] Inform caller of smtplib STARTTLS failures
And Clover
report at bugs.python.org
Tue Feb 25 19:20:19 CET 2014
New submission from And Clover:
When an SMTP server responds to the STARTTLS command with an error, the smtplib.SMTP.starttls() method does not raise an exception, as it would if TLS negotiation itself failed. Consequently naïve callers of the function may assume that a TLS connection has actually been established and continue to send sensitive mail through the interface.
In reality starttls() returns a tuple of response code and message from which the fail state can be detected, but this is not documented and no caller code I've met does anything with it.
Either:
1. Treat it as a doc bug for 3.4. The return value should be documented and callers warned that they need to check that value[0]==220 before assuming they have negotiated TLS. Or,
2. starttls() should raise SMTPResponseException for responses other than 220 in a future Python version, especially if moving towards validate-by-default. Possibly only raise an exception if the SSLContext.verify_mode is REQUIRED?
----------
components: Library (Lib)
messages: 212192
nosy: aclover
priority: normal
severity: normal
status: open
title: Inform caller of smtplib STARTTLS failures
type: behavior
versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue20770>
_______________________________________
More information about the Python-bugs-list
mailing list