Hi Adrian,
+ * CVE-2023-27043: Reject malformed addresses in email.parseaddr()
+ (Closes: #1059298)
https://docs.python.org/3/library/smtplib.html isn't quite clear about
what to_addrs should look like (unless you infer it from the example at the
bottom), and I ended up passing '***@example.org,***@example.org' in some
code, which has worked fine until this update.
The docstring is clearer though:
def sendmail(self, from_addr, to_addrs, msg, mail_options=(),
rcpt_options=()):
"""This command performs an entire mail transaction.
The arguments are:
- from_addr : The address sending this mail.
- to_addrs : A list of addresses to send this mail to. A bare
^^^^^^^^^^^^^^^^^^^
string will be treated as a list with 1 address.
- msg : The message to send.
- mail_options : List of ESMTP options (such as 8bitmime) for the
mail command.
- rcpt_options : List of ESMTP options (such as DSN commands) for
all the rcpt commands.
so I guess it's fair that the stricter check now rejects what's been
working for years.
I thought I'd drop you a note anyway, just in case others wonder why
they aren't getting any mails anymore and/or they get that kind of
traces:
Traceback (most recent call last):
File "/home/kibi/my_code.py", line 42, in send
Job.smtp.sendmail(from_addr, to_addr, message)
File "/usr/lib/python3.11/smtplib.py", line 901, in sendmail
raise SMTPRecipientsRefused(senderrs)
smtplib.SMTPRecipientsRefused: {'***@example.org,***@example.org': (501, b'5.1.3 Bad recipient address syntax')}
Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant