Karthikeyan Singaravelan <tir.kar...@gmail.com> added the comment:
Relevant attack from matrix blog post. https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/ > sydent uses python's email.utils.parseaddr function to parse the input email > address before sending validation mail to it, but it turns out that if you > hand parseaddr an malformed email address of form a...@b.com@c.com, it > silently discards the @c.com prefix without error. The result of this is that > if one requested a validation token for 'a...@malicious.org@important.com', > the token would be sent to 'a...@malicious.org', but the address > 'a...@malicious.org@important.com' would be marked as validated. This release > fixes this behaviour by asserting that the parsed email address is the same > as the input email address. I am marking this as a security issue. ---------- keywords: +security_issue nosy: +vstinner _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue34155> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
