email_url uses unquote_plus which breaks values with + in them

[awbacker]

When using email_url, if your username or password includes a + then the function will unquote it (change it to a space), breaking the value.

AWS SES passwords can and do have + in them.

I think email_url should be updated to unescape only classic % escaping via unquote(), or to abandon unescaping altogether.

No escaping actually has to be done, since urlparse does not care about the values. If you have a space in your username it will happily let you put it in the url.

>>> u = urlparse("sql://user:one+two%20three four@host.com:23")
>>> u.scheme, u.username, u.password, u.hostname
('sql', 'user', 'one+two%20three four', 'host.com')

This is of course subjective, and when dealing with URIs here I don't think there is always a correct answer. It may depend on where you get your settings from.

An alternative would be to raise an error if one of those conditions was found (space, + or % in the u/p) and instruct the user to pass in an unquote function of their liking or none to just take it as is.

config.update({
            'EMAIL_FILE_PATH': path,
            'EMAIL_HOST_USER': _cast_urlstr(url.username),
            'EMAIL_HOST_PASSWORD': _cast_urlstr(url.password),

...
def _cast_urlstr(v):
    return unquote_plus(v) if isinstance(v, str) else v

The

[awbacker]

I ended up with this code, just for reference:

_env = environ.Env()
_config: ParseResult = _env.url("EMAIL_URL", "dummymail://")

EMAIL_BACKEND = _env.EMAIL_SCHEMES[_config.scheme]  # just error if misconfigured
EMAIL_HOST_USER = _config.username
EMAIL_HOST_PASSWORD = _config.password
EMAIL_HOST = _config.hostname
EMAIL_PORT = _config.port
EMAIL_USE_TLS = "smtp" in _config.scheme