[issue43124] [security] smtplib multiple CRLF injection
Martin Ortner
report at bugs.python.org
Tue Jul 13 13:36:33 EDT 2021
Martin Ortner <martin.ortner at consensys.net> added the comment:
> This bug report starts with "a malicious user with direct access to `smtplib.SMTP(..., local_hostname, ..)", which is a senseless supposition. Anyone with "access to" the SMTP object could just as well be talking directly to the SMTP server and do anything they want that SMTP itself allows.
Let's not argue about the phrasing and settle on the fact that I am not a native English speaker which might be the root cause of the confusion. The core of the issue is that this *unexpected side-effect* may be security-relevant. Fixing it probably takes less time than arguing about phrasing, severity, or spending time describing exploitation scenarios for a general-purpose library that should protect the underlying protocol from injections.
Be kind, I come in peace.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43124>
_______________________________________
More information about the Python-bugs-list
mailing list