If the msg parameter to smtplib.SMTP.sendmail() 
contains a '\r\n.\r\n', the message will be 
terminated.  This will surprise most users, as 
smtplib should encapsulate the various protocol 
details rather than expose them.

It's also a potential security hole.  If 
user-supplied data is passed as msg, then the user 
may be able to inject SMTP commands by placing them 
after a '\r\n.\r\n'.

A workaround is to mutilate msg before passing it to 
smtplib.

Logged In: YES 
user_id=21627

Would you like to contribute a patch to fix this problem?

Logged In: YES 
user_id=539971

Yes.  Do I need to submit it against 2.4 or 2.5, or both?

Logged In: YES 
user_id=849994

As there were almost no changes in smtplib between 2.4 and
2.5, I think that 2.5 is enough, if someone backports it to
2.4, he can adapt if necessary.

Logged In: YES 
user_id=539971

Sorry, the report is completely bogus.  smtplib already does the necessary quoting.

I was getting truncated emails from a subversion commit hook, and jumped to conclusions.  
Turned out the commit hook was using the sendmail command, NOT smtplib (although it does 
have that option).

Sorry for the noise.

Logged In: YES 
user_id=539971

deleting.