, 9 tweets, 4 min read Read on Twitter
📢 Technical thread 📢

In fact, the vulnerability I found on #Tchap is a problem that comes from the Python email.utils module 😨

The parseaddr method seems very broken, you should not use it at all. Let me show you why. 1/
1. Open a terminal
2. python
3. import email.utils

We are ready to play! 2/
"Parse address – which should be the value of some address-containing field such as To or Cc – into its constituent realname and email address parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ('', '') is returned" 3/
Yesterday, this is how @Matrix was using the parseaddr method. Job done, no? 4/
What is happening if I add @presidence@elysee.fr at the end of my email address?

Sh*t, the result is still my email address 😮. This vulnerability can be useful to bypass some email restriction as we saw yesterday 5/
It's working also if you add a space between your email address and @presidence@elysee.fr 6/
But wait, what is happening if I enter something which is not an email address?

According to the doc, he is suppose to return an empty string.

WTF?! It returns my input 7/
Clearly, this parseaddr is not doing his job...

If you use this method in your codebase, review it asap, especially if you have implemented an email restriction 8/
As noticed by @bortzmeyer, an issue on the Python bug tracker is opened since 2018-07-19 bugs.python.org/issue34155
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!