#36752 closed Bug (duplicate)
SMTP backend crashes on invalid email addresses such as “to@”
| Reported by: | Kwadwo Owusu Ansah | Owned by: | |
|---|---|---|---|
| Component: | Core (Mail) | Version: | dev |
| Severity: | Normal | Keywords: | smtp invalid email parser regression |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
While running the Django test suite on the current development version
(6.1.dev), the SMTP backend crashes when preparing invalid email
addresses such as "to@".
This failure is triggered by the test:
tests/mail/tests.py::test_avoids_sending_to_invalid_addresses
Expected behavior:
Invalid email addresses should be rejected early with a ValueError and
must not reach the low-level email header parser used by
AddressHeader.value_parser().
Actual behavior:
The following exception occurs when attempting to parse the invalid
address:
IndexError: string index out of range
Traceback (excerpt):
File django/core/mail/backends/smtp.py, in prep_address
parsed = AddressHeader.value_parser(address)
File .../email/_header_value_parser.py
if value[0] in CFWS_LEADER:
IndexError: string index out of range
This indicates that the backend attempts to parse malformed email
addresses too deeply instead of validating them first.
Environment:
- Django version: 6.1.dev
- Python 3.12
- Command: python tests/runtests.py mail
Steps to reproduce:
- Clone Django main
- Install test dependencies
- Run: python tests/runtests.py mail
- Observe the failure in test_avoids_sending_to_invalid_addresses
The failure is reproducible and appears to be a regression in the SMTP
backend’s handling of invalid recipient addresses.
Change History (4)
comment:1 by , 3 weeks ago
| Has patch: | set |
|---|
follow-up: 4 comment:2 by , 3 weeks ago
Is it definitely not possible for an SMTP server to not require the hostname part of an address? I guess since Python's email library rejects it we probably don't have a choice.
Regarding the patch, it seems to only change the exception, rather than notably change behaviour. Perhaps it's better to wrap the AddressHeader.value_parser call in a try: except: and raise a slightly nicer message. I assume hitting a ValueError will just raise a different exception, rather than notably changing the crashing behaviour?
comment:3 by , 3 weeks ago
| Has patch: | unset |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
3.12.0 is not supported, please run the latest bugfix release of Python 3.12. Duplicate of #36746.
comment:4 by , 3 weeks ago
Replying to Jake Howard:
Is it definitely not possible for an SMTP server to not require the hostname part of an address?
Django specifically supports localpart-only addresses like "webmaster" which are intended to be delivered to a local mailbox. (Despite Python's email package marking that form as a header defect.)
But Django doesn't allow invalid addresses like "webmaster@" or "to@" as reported here.
Patch submitted in https://github.com/django/django/pull/20301.