On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
Fixed a regression which would cause multiple To, Cc, and
Reply-To headers in the result of EmailMessage.message() if
values were supplied for both to/cc/reply_to and the
corresponding extra_headers fields.
Updated related tests to check the generated message() has
exactly one of each expected header using get_all().
Regression in b03d500295.
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
test_server_login() was a regression test for a crash when passing
Unicode strings to SMTP server using CRAM-MD5 method on Python 2.
Python 2 is no longer supported and test_server_login() passes even
without FakeSMTPChannel.smtp_AUTH() because
smtplib.SMTPAuthenticationError is raised when AUTH is not implemented.
Fixed sending emails crash on email addresses with display names longer
then 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.
Wrapped display names were passed to email.headerregistry.Address()
what caused raising an exception because address parts cannot contain
CR or LF.
See https://bugs.python.org/issue39073
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
email.headerregistry.parser.get_mailbox() returns a token with a `token_type` attribute.
If `token_type` is `’invalid-mailbox’` then RFC violations have been detected. Emails with only the local part, and no domain, are correctly parsed but are marked as `’invalid-mailbox’`.
As per #15042, local-only are supported, to enable sending to addresses on localhost.
sanitize_email() does not currently check `token_type`. This test is added to avoid a regression in case this is revisited in the future.
Natalia
Jake Howard
Mike Edmunds
Ronny Vedrilla
Mariusz Felisiak
Baptiste Mispelon
sindre
Nick Pope
David Smith
django-bot
Daniyal
Konstantin Alekseev
Florian Apolloner
Jon Dufresne
Chason Chaffin
Hasan Ramezani
Carlton Gibson
Joachim Jablon
Sergey Fedoseev
Tim Graham
Denis Stebunov
jannschu
Williams Mendez
Mads Jensen
Igor Tokarev