Dain Dwarf <[email protected]> added the comment:
Hello, kind of new here.
I just wanted to note that the issue that lead to Tchap's security attack still
exists in the non-deprecated message_from_string function:
email.message_from_string('From: [email protected]@important.com',
policy=email.policy.default)['from'].addresses
(Address(display_name='', username='a', domain='malicious.org'),)
So, deprecating parseaddr is not enough for security purpose, unless there is
another ticket for the new email API.
----------
nosy: +Dain Dwarf
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue34155>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
