From a031475c10ad1f7179755cc1592a1d2be158b3fa Mon Sep 17 00:00:00 2001 From: Frederik Braun Date: Tue, 8 Aug 2023 17:04:37 +0200 Subject: [PATCH] Ensure SMTP over SSL verifies the server certificate (#2193) This patch supplies an ssl context to the `SMTP_SSL` constructor, which enables certificate verification. The default context will use the system's trusted CA certificates. See https://docs.python.org/3/library/ssl.html#ssl-security for more. Kudos to Martin Schobert and Tobias Ospelt of Pentagrid AG for reporting to Mozilla Security. --- bugbot/mail.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bugbot/mail.py b/bugbot/mail.py index 8f62436da..a4a290f56 100644 --- a/bugbot/mail.py +++ b/bugbot/mail.py @@ -3,6 +3,7 @@ # You can obtain one at http://mozilla.org/MPL/2.0/. import smtplib +import ssl from email.mime.application import MIMEApplication from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText @@ -126,7 +127,9 @@ def sendMail(From, To, msg, login={}, dryrun=False): smtp_ssl = login.get("smtp_ssl", default_login.get("smtp_ssl", True)) if smtp_ssl: - mailserver = smtplib.SMTP_SSL(smtp_server, smtp_port) + mailserver = smtplib.SMTP_SSL( + smtp_server, smtp_port, context=ssl.create_default_context() + ) else: mailserver = smtplib.SMTP(smtp_server, smtp_port)