[New-bugs-announce] [issue47047] smtplib: allow custom policy or use msg.policy in send_message

Mikael Koli report at bugs.python.org
Thu Mar 17 12:48:39 EDT 2022

New submission from Mikael Koli <koli.mikael at gmail.com>:

The method smtplib.SMTP.send_message does not use the message's Policy if all of the from_addrs or to_addrs are not international. See: https://github.com/python/cpython/blob/v3.10.3/Lib/smtplib.py#L983 (unchanged in current main). The email.generator.BytesGenerator does not capture the email's policy as it was not passed to its init.

This has at least one notable setback: you cannot set the mangle_from to False meaning that the method will always turn "From ..." to ">From ..." in the plain text part (though often that is desirable). This is especially confusing as email library has the mangle_from as False by default for EmailMessages but smtplib.SMTP's send_message does not respect this by default.

The smtplib.SMTP.send_message has a mention about this in the docstring thus not entirely sure if intentional:

    ... Otherwise the generator is called without modifying the

If we changed this line: https://github.com/python/cpython/blob/v3.10.3/Lib/smtplib.py#L983

from this:
    g = email.generator.BytesGenerator(bytesmsg)

to this:
    g = email.generator.BytesGenerator(bytesmsg, policy=msg.policy.clone()

smptlib's tests are passed but I suspect it's not that simple. The docstring mention indicates this is at some level intentional and I think the mangle_from needs to remain True as otherwise, it may cause security problems in existing code. Another option perhaps could be that the policy could be passed with the send_message and that is used if not None or we could have argument "msg_policy=False" that if True, the message's policy is used.

One could also think that this could be overcome by subclassing the SMTP. However, the logic is such deep in that it is not convenient.

So in short, the options I thought of:
- Have an argument "policy" in send_message to force usage of your own policy (safe option)
- Have an argument "msg_policy" (name debatable) in send_message and if True, the message's policy is always used (safe option)
- Use the message's policy always (unsafe, possibly breaking and causing security issues in existing code)

components: Library (Lib), email
messages: 415428
nosy: Miksus, barry, r.david.murray
priority: normal
severity: normal
status: open
title: smtplib: allow custom policy or use msg.policy in send_message
versions: Python 3.10, Python 3.11, Python 3.7, Python 3.8, Python 3.9

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list