id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32008	sanitize_address() can add newlines in a header that django.core.mail.EmailMessage will refuse.	Pierre-Elliott Bécue	nobody	"Hi,

We've come accross a situation with django 2.2 where, while sanitazing a user address to send a mail in his name, the sanitize_address function, which relies on python's email.header.Header will introduce a newline character in the from header, and therefore, the mail won't get send because django's security features include refusing emails with newlines in headers. It seems to me that no recent version of django addresses this issue.

A simple solution would be to have sanitize_address take a maxlinelen parameter passed to Header. A more complex solution would be to see if the newline is followed by spaces or tabulations, in which case it doesn't seem to pose a security risk as it can't lead to an embedded header.

If you need more input I can give som."	Bug	closed	Core (Mail)	2.2	Normal	invalid	mail		Unreviewed	0	0	0	0	0	0