You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using email_url, if your username or password includes a + then the function will unquote it (change it to a space), breaking the value.
AWS SES passwords can and do have + in them.
I think email_url should be updated to unescape only classic % escaping via unquote(), or to abandon unescaping altogether.
No escaping actually has to be done, since urlparse does not care about the values. If you have a space in your username it will happily let you put it in the url.
This is of course subjective, and when dealing with URIs here I don't think there is always a correct answer. It may depend on where you get your settings from.
An alternative would be to raise an error if one of those conditions was found (space, + or % in the u/p) and instruct the user to pass in an unquote function of their liking or none to just take it as is.
config.update({
'EMAIL_FILE_PATH': path,
'EMAIL_HOST_USER': _cast_urlstr(url.username),
'EMAIL_HOST_PASSWORD': _cast_urlstr(url.password),
...
def _cast_urlstr(v):
return unquote_plus(v) if isinstance(v, str) else v
The
The text was updated successfully, but these errors were encountered:
awbacker
changed the title
email_url uses unquote_plus which breaks paswords/usernames with + in thememail_url uses unquote_plus which breaks values with + in them
May 6, 2022
When using
email_url
, if your username or password includes a+
then the function will unquote it (change it to a space), breaking the value.AWS SES passwords can and do have
+
in them.I think
email_url
should be updated to unescape only classic%
escaping viaunquote()
, or to abandon unescaping altogether.No escaping actually has to be done, since
urlparse
does not care about the values. If you have a space in your username it will happily let you put it in the url.This is of course subjective, and when dealing with URIs here I don't think there is always a correct answer. It may depend on where you get your settings from.
An alternative would be to raise an error if one of those conditions was found (space, + or % in the u/p) and instruct the user to pass in an unquote function of their liking or
none
to just take it as is.The
The text was updated successfully, but these errors were encountered: