What's Changed
- Security: Discard any buffered server data before the STARTTLS handshake, preventing a response-injection attack where a man-in-the-middle pre-stages plaintext that would otherwise be read as part of the encrypted session. More details: GHSA-vxj7-4xrp-5vr4
- Bugfix: Corrected SMTPResponse
__repr__result - Bugfix: Calling
connect()on an already-connected client now raisesSMTPExceptioninstead of deadlocking on the connection lock - Feature: Poe command runner for dev tasks
- Bugfix: Timeout ignored during CRAM-MD5 verification
- Bugfix: Only parse EHLO response after validating success
- Bugfix: return None from extract_sender when address list is empty
- Bugfix: Enforce a maximum total response size, preventing unbounded memory use if a server streams data with no line ending or endless multiline continuation lines
- Bugfix: Use the invalid_response status code (-1) instead of 500 when a server response line exceeds the maximum length
- Bugfix: A read timeout now closes the connection instead of leaving it in a desynced state, where a late server response could be mispaired with a subsequent command
- Bugfix: Correctly parse old-style
AUTH=extension advertisements; all advertised methods are now kept (e.g. both PLAIN and LOGIN fromAUTH=PLAIN LOGIN) - Bugfix: ESMTP extension lines with leading whitespace are no longer ignored
Full Changelog: v5.1.1...v5.1.2