subject:"\[issue47047\] smtplib\: allow custom policy or use msg.policy in send

[issue47047] smtplib: allow custom policy or use msg.policy in send_message

2022-03-17 Thread Mikael Koli



Mikael Koli  added the comment:

It seems the message's policy is actually used. However, the mangle_from_ is 
still always True as the policy is not passed in the initiation of the 
generator. It seems though that all the options I mentioned could still make 
the mangle_from_ to be changeable if one wishes so.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue47047] smtplib: allow custom policy or use msg.policy in send_message

2022-03-17 Thread Mikael Koli



New submission from Mikael Koli :

The method smtplib.SMTP.send_message does not use the message's Policy if all 
of the from_addrs or to_addrs are not international. See: 
https://github.com/python/cpython/blob/v3.10.3/Lib/smtplib.py#L983 (unchanged 
in current main). The email.generator.BytesGenerator does not capture the 
email's policy as it was not passed to its init.

This has at least one notable setback: you cannot set the mangle_from to False 
meaning that the method will always turn "From ..." to ">From ..." in the plain 
text part (though often that is desirable). This is especially confusing as 
email library has the mangle_from as False by default for EmailMessages but 
smtplib.SMTP's send_message does not respect this by default.

The smtplib.SMTP.send_message has a mention about this in the docstring thus 
not entirely sure if intentional:

... Otherwise the generator is called without modifying the
policy.


If we changed this line: 
https://github.com/python/cpython/blob/v3.10.3/Lib/smtplib.py#L983

from this:
g = email.generator.BytesGenerator(bytesmsg)

to this:
g = email.generator.BytesGenerator(bytesmsg, policy=msg.policy.clone()

smptlib's tests are passed but I suspect it's not that simple. The docstring 
mention indicates this is at some level intentional and I think the mangle_from 
needs to remain True as otherwise, it may cause security problems in existing 
code. Another option perhaps could be that the policy could be passed with the 
send_message and that is used if not None or we could have argument 
"msg_policy=False" that if True, the message's policy is used.

One could also think that this could be overcome by subclassing the SMTP. 
However, the logic is such deep in that it is not convenient.

So in short, the options I thought of:
- Have an argument "policy" in send_message to force usage of your own policy 
(safe option)
- Have an argument "msg_policy" (name debatable) in send_message and if True, 
the message's policy is always used (safe option)
- Use the message's policy always (unsafe, possibly breaking and causing 
security issues in existing code)

--
components: Library (Lib), email
messages: 415428
nosy: Miksus, barry, r.david.murray
priority: normal
severity: normal
status: open
title: smtplib: allow custom policy or use msg.policy in send_message
versions: Python 3.10, Python 3.11, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue47047] smtplib: allow custom policy or use msg.policy in send_message

[issue47047] smtplib: allow custom policy or use msg.policy in send_message

2 matches

Site Navigation

Mail list logo

Footer information