Karthikeyan Singaravelan <[email protected]> added the comment:
Relevant attack from matrix blog post. https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/ > sydent uses python's email.utils.parseaddr function to parse the input email > address before sending validation mail to it, but it turns out that if you > hand parseaddr an malformed email address of form [email protected]@c.com, it > silently discards the @c.com prefix without error. The result of this is that > if one requested a validation token for '[email protected]@important.com', > the token would be sent to '[email protected]', but the address > '[email protected]@important.com' would be marked as validated. This release > fixes this behaviour by asserting that the parsed email address is the same > as the input email address. I am marking this as a security issue. ---------- keywords: +security_issue nosy: +vstinner _______________________________________ Python tracker <[email protected]> <https://bugs.python.org/issue34155> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
