#37152 closed Cleanup/optimization (fixed)
EmailMessage should block `bcc` in `extra_headers` and docs should not suggest `bcc` is a header
| Reported by: | Natalia Bidart | Owned by: | diaxoaine |
|---|---|---|---|
| Component: | Core (Mail) | Version: | 6.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Mike Edmunds | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Following a security report deemed invalid, there are two related improvements to EmailMessage that we should pursue:
- Add
bccto theextra_headersblocklist:EmailMessage.message()already blocksfrom,to,cc, andreply-tofrom being written into MIME headers viaextra_headers, butbccis missing.
- Clarify docs to avoid saying that
bccis a "header": docs describe it as addresses used in the "Bcc header," which is inaccurate. Bcc addresses are passed to the SMTP server as RCPT TO recipients and never written into the MIME message -- there is no Bcc header in the outgoing message. The word "header" should be removed from that description.
Change History (13)
comment:1 by , 3 weeks ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 3 weeks ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 weeks ago
| Cc: | added |
|---|
comment:4 by , 3 weeks ago
| Has patch: | set |
|---|
follow-up: 7 comment:5 by , 3 weeks ago
After some additional thought, I think the right way to handle this is for EmailMessage.message() to raise an error if it finds "bcc" in the headers. It's almost certainly a mistake on the caller's part, and we should be pointing them toward the bcc recipient arg instead. There's also a slight chance (per my earlier comment) it's deliberate. But either way, Django should not silently filter "bcc" out of the headers.
I would also probably mention this in the release notes as a potentially-breaking change without deprecation. (Any "working" code that depends on this is using undocumented, non-standard behavior for Bcc headers, so I think a breaking change is OK.)
comment:6 by , 3 weeks ago
| Patch needs improvement: | set |
|---|
comment:7 by , 3 weeks ago
Replying to Mike Edmunds:
After some additional thought, I think the right way to handle this is for
EmailMessage.message()to raise an error if it finds"bcc"in theheaders. It's almost certainly a mistake on the caller's part, and we should be pointing them toward thebccrecipient arg instead. There's also a slight chance (per my earlier comment) it's deliberate. But either way, Django should not silently filter"bcc"out of the headers.
I would also probably mention this in the release notes as a potentially-breaking change without deprecation. (Any "working" code that depends on this is using undocumented, non-standard behavior for Bcc headers, so I think a breaking change is OK.)
Thanks, I updated the patch.
comment:8 by , 3 weeks ago
| Patch needs improvement: | unset |
|---|
comment:9 by , 3 weeks ago
| Patch needs improvement: | set |
|---|
comment:10 by , 3 weeks ago
| Patch needs improvement: | unset |
|---|
comment:11 by , 2 weeks ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Replying to Natalia Bidart:
Just to clarify, the check for
from,to,cc, andreply-toin EmailMessage.message() is to avoid duplicating headers that have already been added earlier in that method. It's not really meant to be a general header suppression filter (although I suppose it could be).This might need more discussion. It's true that a Bcc header does not belong in a message being handed off to SMTP, but there are some MTAs (e.g.,
sendmail -t) that do accept it. So there's a slight chance this could be a breaking change for some custom EmailBackend. Extremely slight, but thought I should mention it. (Also note the opposite request to add Bcc headers to serialized messages in the console and file backends, in #28598.)