[issue34155] email.utils.parseaddr mistakenly parse an email
Dain Dwarf
report at bugs.python.org
Mon Apr 29 07:42:55 EDT 2019
Dain Dwarf <daindwarf at gmail.com> added the comment:
Hello, kind of new here.
I just wanted to note that the issue that lead to Tchap's security attack still exists in the non-deprecated message_from_string function:
email.message_from_string('From: a at malicious.org@important.com', policy=email.policy.default)['from'].addresses
(Address(display_name='', username='a', domain='malicious.org'),)
So, deprecating parseaddr is not enough for security purpose, unless there is another ticket for the new email API.
----------
nosy: +Dain Dwarf
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue34155>
_______________________________________
More information about the Python-bugs-list
mailing list