Releases: cole/aiosmtplib
Releases · cole/aiosmtplib
Release list
v5.1.2
What's Changed
- Security: Discard any buffered server data before the STARTTLS handshake, preventing a response-injection attack where a man-in-the-middle pre-stages plaintext that would otherwise be read as part of the encrypted session. More details: GHSA-vxj7-4xrp-5vr4
- Bugfix: Corrected SMTPResponse
__repr__result - Bugfix: Calling
connect()on an already-connected client now raisesSMTPExceptioninstead of deadlocking on the connection lock - Feature: Poe command runner for dev tasks
- Bugfix: Timeout ignored during CRAM-MD5 verification
- Bugfix: Only parse EHLO response after validating success
- Bugfix: return None from extract_sender when address list is empty
- Bugfix: Enforce a maximum total response size, preventing unbounded memory use if a server streams data with no line ending or endless multiline continuation lines
- Bugfix: Use the invalid_response status code (-1) instead of 500 when a server response line exceeds the maximum length
- Bugfix: A read timeout now closes the connection instead of leaving it in a desynced state, where a late server response could be mispaired with a subsequent command
- Bugfix: Correctly parse old-style
AUTH=extension advertisements; all advertised methods are now kept (e.g. both PLAIN and LOGIN fromAUTH=PLAIN LOGIN) - Bugfix: ESMTP extension lines with leading whitespace are no longer ignored
Full Changelog: v5.1.1...v5.1.2
5.1.1
What's Changed
- Security: Reject control characters (the C0 range 0x00-0x1F and DEL 0x7F, including CR, LF, and NUL) in SMTP command arguments, preventing command injection via input passed to mail(), rcpt(), vrfy(), expn() or sendmail(). Such input now raises ValueError before anything is written to the connection. More details: GHSA-v3q9-hj7j-63hq Thanks to @tonghuaroot for the report.
- Bugfix: SMTP.quit() no longer hangs until the read timeout when the peer drops the transport with an exception after QUIT is sent but before the 221 reply is parsed (e.g. AWS SES closing TLS without close_notify). Contributed by @yamaaaaaa31
New Contributors
- @yamaaaaaa31 made their first contribution in #346
Full Changelog: v5.1.0...v5.1.1
v5.1.0
v5.0.0
v4.0.2
What's Changed
- Bugfix: correct aexit signature to comply with async context manager protocol by @oliverlambson in #323
New Contributors
- @oliverlambson made their first contribution in #323
Full Changelog: v4.0.1...v4.0.2
v4.0.1
v4.0.0
- BREAKING: Drop Python 3.8 support
- Bugfix: Run socket.getfqdn in thread to avoid blocking event loop if local_hostname not provided (thanks @raidzin)
- Bugfix: Clear connect lock on connection lost, allowing client reconnect
- Bugfix: Allow socket connections to use TLS by providing hostname and use_tls=True
Full Changelog: v3.0.2...v4.0.0
v3.0.2
v3.0.1
- Bugfix: 'Future exception was never retrieved' warning in SMTPProtocol after successful connection close and garbage collection.
- Cleanup: Updated FlowControlMixin logic from stdlib
Full Changelog: v3.0.0...v3.0.1
3.0.0
- BREAKING: Drop Python 3.7 support.
- BREAKING: Positional arguments are now positional only, and keyword arguments
are keyword only. - BREAKING: Passing
source_addressas a string argument (deprecated in 2.0) is now an error.source_addresstakes a (addr, port) tuple that is used as thelocal_addrparam ofasyncio.create_connection, allowing for binding to a specific IP. Thelocal_hostnameargument takes the value to be sent to the server with the EHLO/HELO message (which is whatsource_addresswas used for prior to 2.0). - Change: don't use timeout value passed to
connecteverywhere, only for the initial connection (credit @wombatonfire) - Change: removed unnecessary connection lost callback
- Change: revised handling for 'Future exception was never retrieved' warnings in protocol