[issue34155] email.utils.parseaddr mistakenly parse an email

Dain Dwarf Mon, 29 Apr 2019 04:43:16 -0700


Dain Dwarf <daindw...@gmail.com> added the comment:


Hello, kind of new here.

I just wanted to note that the issue that lead to Tchap's security attack still 
exists in the non-deprecated message_from_string function:

email.message_from_string('From: a...@malicious.org@important.com', 
policy=email.policy.default)['from'].addresses

(Address(display_name='', username='a', domain='malicious.org'),)

So, deprecating parseaddr is not enough for security purpose, unless there is 
another ticket for the new email API.

----------
nosy: +Dain Dwarf

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue34155>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34155] email.utils.parseaddr mistakenly parse an email

Reply via email to