[issue28320] Hostname validation is False by default in imaplib

2018-04-21 Thread Matej Cepl

Matej Cepl  added the comment:

See also issue 33327.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue28320] Hostname validation is False by default in imaplib

2018-04-21 Thread Matej Cepl

Matej Cepl  added the comment:

I do agree with http://legacy.python.org/dev/peps/pep-0476/#other-protocols:

This PEP only proposes requiring this level of validation for HTTP clients, not 
for other protocols such as SMTP.

This is because while a high percentage of HTTPS servers have correct 
certificates, as a result of the validation performed by browsers, for other 
protocols self-signed or otherwise incorrect certificates are far more common.

With HTTP (and thanks to Let’s Encrypt) the situation seems to be really good, 
and most publicly accessible webserver will hopefully have soon good signed 
certificates, but I am afraid that with other servers (and especially but 
certainly not limited to IMAP servers) there are just too many self-signed 
certificates (or ones signed by suspicious internal CAs) in various internal 
email servers, that changing defaults would do more harm than good, I am 
afraid. Also, arguing about defaults is the way of The Waste of Time, so I will 
try to limit myself just to this one comment on this bug.

--
nosy: +mcepl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue28320] Hostname validation is False by default in imaplib

2016-09-30 Thread Maciej Szulik

New submission from Maciej Szulik:

According to David [1] hostname validation should be True by default for the 
imaplib, my tests clearly show something different. Additionally he states you 
Christian were doing so, that's why I'm opening this not to forget about the 
problem and discuss eventually what should happen.


[1] 
http://bugs.python.org/review/25591/diff/16398/Lib/test/test_imaplib.py#newcode451

--
assignee: christian.heimes
components: email
messages: 22
nosy: barry, christian.heimes, maciej.szulik, r.david.murray
priority: normal
severity: normal
stage: needs patch
status: open
title: Hostname validation is False by default in imaplib
type: security
versions: Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com