Hi Adrian, Adrian Bunk <b...@debian.org> (2024-12-04): > + * CVE-2023-27043: Reject malformed addresses in email.parseaddr() > + (Closes: #1059298)
https://docs.python.org/3/library/smtplib.html isn't quite clear about what to_addrs should look like (unless you infer it from the example at the bottom), and I ended up passing 'f...@example.org,b...@example.org' in some code, which has worked fine until this update. The docstring is clearer though: def sendmail(self, from_addr, to_addrs, msg, mail_options=(), rcpt_options=()): """This command performs an entire mail transaction. The arguments are: - from_addr : The address sending this mail. - to_addrs : A list of addresses to send this mail to. A bare ^^^^^^^^^^^^^^^^^^^ string will be treated as a list with 1 address. - msg : The message to send. - mail_options : List of ESMTP options (such as 8bitmime) for the mail command. - rcpt_options : List of ESMTP options (such as DSN commands) for all the rcpt commands. so I guess it's fair that the stricter check now rejects what's been working for years. I thought I'd drop you a note anyway, just in case others wonder why they aren't getting any mails anymore and/or they get that kind of traces: Traceback (most recent call last): File "/home/kibi/my_code.py", line 42, in send Job.smtp.sendmail(from_addr, to_addr, message) File "/usr/lib/python3.11/smtplib.py", line 901, in sendmail raise SMTPRecipientsRefused(senderrs) smtplib.SMTPRecipientsRefused: {'f...@example.org,b...@example.org': (501, b'5.1.3 Bad recipient address syntax')} Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
