From 3aeadfd9fd7c80151a63f847a7ec79546c875f9d Mon Sep 17 00:00:00 2001
From: Matthew Fernandez <matthew.fernandez@gmail.com>
Date: Fri, 2 Feb 2024 17:28:18 +1100
Subject: [PATCH] fix: validate SSL certificates for IMAP connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Python docs say:¹

  _ssl_context_ is a `ssl.SSLContext` object which allows bundling SSL
  configuration options, certificates and private keys into a single
  (potentially long-lived) structure. Please read Security considerations
  for best practices.
  …
  For client use, if you don’t have any special requirements for your security
  policy, it is highly recommended that you use the `create_default_context()`
  function to create your SSL context. It will load the system’s trusted CA
  certificates, enable certificate validation and hostname checking, and try to
  choose reasonably secure protocol and cipher settings.
  …
  By contrast, if you create the SSL context by calling the `SSLContext`
  constructor yourself, it will not have certificate validation nor hostname
  checking enabled by default.

While this is clear, it is counter-intuitive behaviour of which I was unaware.
I only learned of this through an oss-sec posting.² This issue seems to have a
long history and we are not the only software affected by it.³

¹ https://docs.python.org/3/library/imaplib.html#imaplib.IMAP4_SSL
² https://www.openwall.com/lists/oss-security/2024/02/01/4
³ https://github.com/python/cpython/issues/91826,
  https://peps.python.org/pep-0476/,
  https://github.com/python/cpython/pull/91875,
  https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/,
  https://github.com/python/peps/pull/3537
---
 output/sender.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/output/sender.py b/output/sender.py
index 57799f6..f469782 100644
--- a/output/sender.py
+++ b/output/sender.py
@@ -3,6 +3,7 @@
 import imaplib
 import mimetypes
 import re
+import ssl
 import time
 import urllib.error
 from email import encoders
@@ -32,7 +33,9 @@ def __init__(self, conf):
 
     def connect(self):
         self.disconnect()
-        self.conn = imaplib.IMAP4_SSL(self.host, self.port)
+        self.conn = imaplib.IMAP4_SSL(
+            self.host, self.port, ssl_context=ssl.create_default_context()
+        )
         if self.login is not None:
             self.conn.login(self.login, self.password)