Opened 60 minutes ago
Last modified 25 minutes ago
#37152 assigned Cleanup/optimization
EmailMessage should block `bcc` in `extra_headers` and docs should not suggest `bcc` is a header
| Reported by: | Natalia Bidart | Owned by: | diaxoaine |
|---|---|---|---|
| Component: | Core (Mail) | Version: | 6.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Following a security report deemed invalid, there are two related improvements to EmailMessage that we should pursue:
- Add
bccto theextra_headersblocklist:EmailMessage.message()already blocksfrom,to,cc, andreply-tofrom being written into MIME headers viaextra_headers, butbccis missing.
- Clarify docs to avoid saying that
bccis a "header": docs describe it as addresses used in the "Bcc header," which is inaccurate. Bcc addresses are passed to the SMTP server as RCPT TO recipients and never written into the MIME message -- there is no Bcc header in the outgoing message. The word "header" should be removed from that description.
Change History (2)
comment:1 by , 51 minutes ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 25 minutes ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.