[Django] #37152: EmailMessage should block `bcc` in `extra_headers` and docs should not suggest `bcc` is a header

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Mail)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Following a security report deemed invalid, there are two related
improvements to `EmailMessage` that we should pursue:

1. Add `bcc` to the `extra_headers` blocklist: `EmailMessage.message()`
already blocks `from`, `to`, `cc`, and `reply-to` from being written into
MIME headers via `extra_headers`, but `bcc` is missing.

2. Clarify docs to avoid saying that `bcc` is a "header": docs describe it
as addresses used in the "Bcc header," which is inaccurate. Bcc addresses
are passed to the SMTP server as RCPT TO recipients and never written into
the MIME message -- there is no Bcc header in the outgoing message. The
word "header" should be removed from that description.
--
Ticket URL: <https://code.djangoproject.com/ticket/37152>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header

--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)

Type: Cleanup/optimization | Status: new
Component: Core (Mail) | Version: 6.0

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by Jacob Walls):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:1>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header

-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: diaxoaine
Type: | Status: assigned
Cleanup/optimization |

Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by diaxoaine):

* owner: (none) => diaxoaine
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:2>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: diaxoaine
Type: | Status: assigned
Cleanup/optimization |
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mike Edmunds):

* cc: Mike Edmunds (added)

Comment:

Replying to [ticket:37152 Natalia Bidart]:

> 1. Add `bcc` to the `extra_headers` blocklist: `EmailMessage.message()`
already blocks `from`, `to`, `cc`, and `reply-to` from being written into
MIME headers via `extra_headers`, but `bcc` is missing.

Just to clarify, the check for `from`, `to`, `cc`, and `reply-to`
[https://github.com/django/django/blob/867c7c0451f2e67e715da5b55b5bf6696747fdc3/django/core/mail/message.py#L339
in EmailMessage.message()] is to avoid duplicating headers that have
''already been added earlier'' in that method. It's not really meant to be
a general header suppression filter (although I suppose it could be).

This ''might'' need more discussion. It's true that a Bcc header does not
belong in a message being handed off to SMTP, but there are some MTAs
(e.g., `sendmail -t`) that do accept it. So there's a slight chance this
could be a breaking change for some custom EmailBackend. ''Extremely
slight,'' but thought I should mention it. (Also note the opposite request
to ''add'' Bcc headers to serialized messages in the console and file
backends, in #28598.)
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:3>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header

--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned

Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by hi):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:4>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Comment (by Mike Edmunds):

After some additional thought, I think the right way to handle this is for
`EmailMessage.message()` to raise an error if it finds `"bcc"` in the
`headers`. It's almost certainly a mistake on the caller's part, and we
should be pointing them toward the `bcc` recipient arg instead. There's
also a ''slight'' chance (per my earlier comment) it's deliberate. But
either way, Django should not ''silently'' filter `"bcc"` out of the
headers.

I would also probably mention this in the release notes as a potentially-
breaking change without deprecation. (Any "working" code that depends on
this is using undocumented, non-standard behavior for Bcc headers, so I
think a breaking change is OK.)
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:5>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Changes (by Jacob Walls):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:6>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Comment (by hi):

Replying to [comment:5 Mike Edmunds]:

> After some additional thought, I think the right way to handle this is
for `EmailMessage.message()` to raise an error if it finds `"bcc"` in the
`headers`. It's almost certainly a mistake on the caller's part, and we
should be pointing them toward the `bcc` recipient arg instead. There's
also a ''slight'' chance (per my earlier comment) it's deliberate. But
either way, Django should not ''silently'' filter `"bcc"` out of the
headers.
>
> I would also probably mention this in the release notes as a

potentially-breaking change without deprecation. (Any "working" code that

depends on this is using undocumented, non-standard behavior for Bcc
headers, so I think a breaking change is OK.)

Thanks, I updated the patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:7>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Changes (by hi):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:8>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Changes (by Mike Edmunds):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:9>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: hi
Type: Cleanup/optimization | Status: assigned
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Changes (by hi):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:10>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header

-------------------------------------+-------------------------------------

Reporter: Natalia Bidart | Owner: hi

Type: | Status: assigned
Cleanup/optimization |

Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:

Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Mike Edmunds):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:11>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
-------------------------------------+-------------------------------------

Reporter: Natalia Bidart | Owner: diaxoaine
Type: | Status: closed

Cleanup/optimization |
Component: Core (Mail) | Version: 6.0

Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by nessita <124304+nessita@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"09434486302078c3649e034dfa74cf3f102db20b" 0943448]:
{{{#!CommitTicketReference repository=""
revision="09434486302078c3649e034dfa74cf3f102db20b"
Fixed #37152 -- Raised ValueError when Bcc is used in EmailMessage
headers.

Bcc addresses are sent via the SMTP envelope and must never appear in
the message itself. A "Bcc" key in `extra_headers` was not excluded like
From/To/Cc/Reply-To, so it leaked into the generated message as a
visible header.

Thanks Mike Edmunds for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:12>

[Django]

#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: diaxoaine
Type: | Status: closed
Cleanup/optimization |
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Natalia <124304+nessita@…>):

In [changeset:"dd4e1a4006cb0713713a97f1252da930abff07fd" dd4e1a4]:
{{{#!CommitTicketReference repository=""
revision="dd4e1a4006cb0713713a97f1252da930abff07fd"
[6.1.x] Fixed #37152 -- Raised ValueError when Bcc is used in EmailMessage

headers.

Bcc addresses are sent via the SMTP envelope and must never appear in
the message itself. A "Bcc" key in `extra_headers` was not excluded like
From/To/Cc/Reply-To, so it leaked into the generated message as a
visible header.

Thanks Mike Edmunds for reviews.

Backport of 09434486302078c3649e034dfa74cf3f102db20b from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:13>