[Django] #37152: EmailMessage should block `bcc` in `extra_headers` and docs should not suggest `bcc` is a header
0 views
Skip to first unread message
Django
11:50 AM (2 hours ago) 11:50 AM
to django-...@googlegroups.com
#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Mail)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Following a security report deemed invalid, there are two related
improvements to `EmailMessage` that we should pursue:
1. Add `bcc` to the `extra_headers` blocklist: `EmailMessage.message()`
already blocks `from`, `to`, `cc`, and `reply-to` from being written into
MIME headers via `extra_headers`, but `bcc` is missing.
2. Clarify docs to avoid saying that `bcc` is a "header": docs describe it
as addresses used in the "Bcc header," which is inaccurate. Bcc addresses
are passed to the SMTP server as RCPT TO recipients and never written into
the MIME message -- there is no Bcc header in the outgoing message. The
word "header" should be removed from that description.
--
Ticket URL: <https://code.djangoproject.com/ticket/37152>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
suggest `bcc` is a header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Mail)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Following a security report deemed invalid, there are two related
improvements to `EmailMessage` that we should pursue:
1. Add `bcc` to the `extra_headers` blocklist: `EmailMessage.message()`
already blocks `from`, `to`, `cc`, and `reply-to` from being written into
MIME headers via `extra_headers`, but `bcc` is missing.
2. Clarify docs to avoid saying that `bcc` is a "header": docs describe it
as addresses used in the "Bcc header," which is inaccurate. Bcc addresses
are passed to the SMTP server as RCPT TO recipients and never written into
the MIME message -- there is no Bcc header in the outgoing message. The
word "header" should be removed from that description.
--
Ticket URL: <https://code.djangoproject.com/ticket/37152>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
11:59 AM (2 hours ago) 11:59 AM
to django-...@googlegroups.com
#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
--------------------------------------+------------------------------------
suggest `bcc` is a header
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Component: Core (Mail) | Version: 6.0
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:1>
Django
12:25 PM (1 hour ago) 12:25 PM
to django-...@googlegroups.com
#37152: EmailMessage should block `bcc` in `extra_headers` and docs should not
suggest `bcc` is a header
-------------------------------------+-------------------------------------
suggest `bcc` is a header
Reporter: Natalia Bidart | Owner: diaxoaine
Type: | Status: assigned
Cleanup/optimization |
Component: Core (Mail) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by diaxoaine):
* owner: (none) => diaxoaine
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37152#comment:2>
Reply all
Reply to author
Forward
0 new messages