Fail closed on SMTP STARTTLS credential failure before sending creds. Ensure diff's manifest dir works now that we don't remove the target location if it exists (temp dir)
This commit is contained in:
parent
5ffd4ee755
commit
0384f8817b
GPG key ID:
03906B4110AAD3B8
1 changed files with 14 additions and 5 deletions
|
|
@ -923,14 +923,17 @@ def enforce_old_harvest(
|
||||||
except OSError:
|
except OSError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# 1) Generate a manifest in a temp directory.
|
# 1) Generate a manifest in a temp directory. The renderer now
|
||||||
manifest(str(old_b.dir), str(td_path), target=target)
|
# refuses to write into an existing destination, so use a fresh
|
||||||
|
# child path under the secure temporary directory.
|
||||||
|
manifest_dir = td_path / "manifest"
|
||||||
|
manifest(str(old_b.dir), str(manifest_dir), target=target)
|
||||||
|
|
||||||
# 2) Apply it locally.
|
# 2) Apply it locally.
|
||||||
cmd, env = _enforcement_command(
|
cmd, env = _enforcement_command(
|
||||||
target,
|
target,
|
||||||
tool_exe,
|
tool_exe,
|
||||||
td_path,
|
manifest_dir,
|
||||||
tags=tags,
|
tags=tags,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -1454,8 +1457,14 @@ def send_email(
|
||||||
try:
|
try:
|
||||||
s.starttls()
|
s.starttls()
|
||||||
s.ehlo()
|
s.ehlo()
|
||||||
except Exception:
|
except Exception as e:
|
||||||
# STARTTLS is optional; ignore if unsupported.
|
if smtp_user or smtp_password:
|
||||||
|
raise RuntimeError(
|
||||||
|
"email: SMTP STARTTLS failed; refusing to send credentials "
|
||||||
|
"without TLS"
|
||||||
|
) from e
|
||||||
|
# Without credentials, keep STARTTLS opportunistic so localhost or
|
||||||
|
# unauthenticated relay setups continue to work.
|
||||||
pass # nosec
|
pass # nosec
|
||||||
if smtp_user:
|
if smtp_user:
|
||||||
s.login(smtp_user, smtp_password or "")
|
s.login(smtp_user, smtp_password or "")
|
||||||
|
|
|
||||||
Reference in a new issue