gh-73936: Add support for unicode in smtplib's logins/passwords.

Formally speaking, this also requires support for SASLprep, RFC 4013.
MongoDB very kindly contributes its SASLprep implementation.

Author: arnt

Lib/smtplib.py

@@ -53,6 +53,7 @@
 import datetime
 import sys
 from email.base64mime import body_encode as encode_base64
+from saslprep import saslprep
 
 __all__ = ["SMTPException", "SMTPNotSupportedError", "SMTPServerDisconnected", "SMTPResponseException",
            "SMTPSenderRefused", "SMTPRecipientsRefused", "SMTPDataError",
@@ -638,7 +639,7 @@ def auth(self, mechanism, authobject, *, initial_response_ok=True):
         mechanism = mechanism.upper()
         initial_response = (authobject() if initial_response_ok else None)
         if initial_response is not None:
-            response = encode_base64(initial_response.encode('ascii'), eol='')
+            response = encode_base64(initial_response.encode('utf-8'), eol='')
             (code, resp) = self.docmd("AUTH", mechanism + " " + response)
             self._auth_challenge_count = 1
         else:
@@ -649,7 +650,7 @@ def auth(self, mechanism, authobject, *, initial_response_ok=True):
             self._auth_challenge_count += 1
             challenge = base64.decodebytes(resp)
             response = encode_base64(
-                authobject(challenge).encode('ascii'), eol='')
+                authobject(challenge).encode('utf-8'), eol='')
             (code, resp) = self.docmd(response)
             # If server keeps sending challenges, something is wrong.
             if self._auth_challenge_count > _MAXCHALLENGE:
@@ -667,21 +668,21 @@ def auth_cram_md5(self, challenge=None):
         # CRAM-MD5 does not support initial-response.
         if challenge is None:
             return None
-        return self.user + " " + hmac.HMAC(
-            self.password.encode('ascii'), challenge, 'md5').hexdigest()
+        return saslprep(self.user) + " " + hmac.HMAC(
+            saslprep(self.password).encode('utf-8'), challenge, 'md5').hexdigest()
 
     def auth_plain(self, challenge=None):
         """ Authobject to use with PLAIN authentication. Requires self.user and
         self.password to be set."""
-        return "\0%s\0%s" % (self.user, self.password)
+        return "\0%s\0%s" % (saslprep(self.user), saslprep(self.password))
 
     def auth_login(self, challenge=None):
         """ Authobject to use with LOGIN authentication. Requires self.user and
         self.password to be set."""
         if challenge is None or self._auth_challenge_count < 2:
-            return self.user
+            return saslprep(self.user)
         else:
-            return self.password
+            return saslprep(self.password)
 
     def login(self, user, password, *, initial_response_ok=True):
         """Log in on an SMTP server that requires authentication.

Lib/test/test_saslprep.py

@@ -13,12 +13,8 @@
 # limitations under the License.
 
 import sys
-
-sys.path[0:0] = [""]
-
-from test import unittest
-
-from pymongo.saslprep import saslprep
+import unittest
+from saslprep import saslprep
 
 
 class TestSASLprep(unittest.TestCase):

Lib/test/test_smtplib.py

@@ -2,6 +2,7 @@
 import email.mime.text
 from email.message import EmailMessage
 from email.base64mime import body_encode as encode_base64
+from saslprep import saslprep
 import email.utils
 import hashlib
 import hmac
@@ -808,6 +809,10 @@ def testLineTooLong(self):
             }
 
 sim_auth = ('Mr.A@somewhere.com', 'somepassword')
+sim_auths = {
+    'Mr.A@somewhere.com' : 'somepassword',
+    'भारत@भारत' : 'भारत@',
+    'Mr.C@somewhere.com' : 'IX'}
 sim_cram_md5_challenge = ('PENCeUxFREJoU0NnbmhNWitOMjNGNn'
                           'dAZWx3b29kLmlubm9zb2Z0LmNvbT4=')
 sim_lists = {'list-1':['Mr.A@somewhere.com','Mrs.C@somewhereesle.com'],
@@ -895,7 +900,7 @@ def _auth_plain(self, arg=None):
                 self.push('535 Splitting response {!r} into user and password'
                           ' failed: {}'.format(logpass, e))
                 return
-            self._authenticated(user, password == sim_auth[1])
+            self._authenticated(user, saslprep(password) == sim_auths[user])
 
     def _auth_login(self, arg=None):
         if arg is None:
@@ -907,7 +912,8 @@ def _auth_login(self, arg=None):
             self.push('334 UGFzc3dvcmQ6')
         else:
             password = self._decode_base64(arg)
-            self._authenticated(self._auth_login_user, password == sim_auth[1])
+            self._authenticated(self._auth_login_user,
+                                saslprep(password) == sim_auths[self._auth_login_user])
             del self._auth_login_user
 
     def _auth_buggy(self, arg=None):
@@ -927,8 +933,8 @@ def _auth_cram_md5(self, arg=None):
                           'failed: {}'.format(logpass, e))
                 return False
             valid_hashed_pass = hmac.HMAC(
-                sim_auth[1].encode('ascii'),
-                self._decode_base64(sim_cram_md5_challenge).encode('ascii'),
+                saslprep(sim_auths[user].encode('utf-8')),
+                self._decode_base64(sim_cram_md5_challenge).encode('utf-8'),
                 'md5').hexdigest()
             self._authenticated(user, hashed_pass == valid_hashed_pass)
     # end AUTH related stuff.
@@ -1117,30 +1123,41 @@ def testEXPN(self):
         self.assertEqual(smtp.expn(u), expected_unknown)
         smtp.quit()
 
+    def helpAUTH_x(self, feature):
+        self.serv.add_feature(feature)
+        for username in sim_auths.keys():
+            with self.subTest(username=username):
+                smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=15)
+                resp = smtp.login(username, sim_auths[username])
+                self.assertEqual(resp, (235, b'Authentication Succeeded'))
+                smtp.close()
+            with self.subTest(username=username):
+                smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=15)
+                with self.assertRaises(smtplib.SMTPAuthenticationError):
+                    smtp.login(username, "No" + sim_auths[username])
+                smtp.close()
+            with self.subTest(username=username):
+                smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=15)
+                resp = smtp.login(username, sim_auths[username] + u"\u00AD")
+                self.assertEqual(resp, (235, b'Authentication Succeeded'))
+                smtp.close()
+
     def testAUTH_PLAIN(self):
-        self.serv.add_feature("AUTH PLAIN")
-        smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost',
-                            timeout=support.LOOPBACK_TIMEOUT)
-        resp = smtp.login(sim_auth[0], sim_auth[1])
-        self.assertEqual(resp, (235, b'Authentication Succeeded'))
-        smtp.close()
+        self.helpAUTH_x("AUTH PLAIN")
 
     def testAUTH_LOGIN(self):
-        self.serv.add_feature("AUTH LOGIN")
-        smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost',
-                            timeout=support.LOOPBACK_TIMEOUT)
-        resp = smtp.login(sim_auth[0], sim_auth[1])
-        self.assertEqual(resp, (235, b'Authentication Succeeded'))
-        smtp.close()
+        self.helpAUTH_x("AUTH LOGIN")
 
     def testAUTH_LOGIN_initial_response_ok(self):
         self.serv.add_feature("AUTH LOGIN")
-        with smtplib.SMTP(HOST, self.port, local_hostname='localhost',
-                          timeout=support.LOOPBACK_TIMEOUT) as smtp:
-            smtp.user, smtp.password = sim_auth
-            smtp.ehlo("test_auth_login")
-            resp = smtp.auth("LOGIN", smtp.auth_login, initial_response_ok=True)
-            self.assertEqual(resp, (235, b'Authentication Succeeded'))
+        for username in sim_auths.keys():
+            with smtplib.SMTP(HOST, self.port, local_hostname='localhost',
+                              timeout=support.LOOPBACK_TIMEOUT) as smtp:
+                smtp.user = username
+                smtp.password = sim_auths[username]
+                smtp.ehlo("test_auth_login")
+                resp = smtp.auth("LOGIN", smtp.auth_login, initial_response_ok=True)
+                self.assertEqual(resp, (235, b'Authentication Succeeded'))
 
     def testAUTH_LOGIN_initial_response_notok(self):
         self.serv.add_feature("AUTH LOGIN")
@@ -1183,12 +1200,7 @@ def testAUTH_CRAM_MD5(self):
     @hashlib_helper.requires_hashdigest('md5', openssl=True)
     def testAUTH_multiple(self):
         # Test that multiple authentication methods are tried.
-        self.serv.add_feature("AUTH BOGUS PLAIN LOGIN CRAM-MD5")
-        smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost',
-                            timeout=support.LOOPBACK_TIMEOUT)
-        resp = smtp.login(sim_auth[0], sim_auth[1])
-        self.assertEqual(resp, (235, b'Authentication Succeeded'))
-        smtp.close()
+        self.helpAUTH_x("AUTH BOGUS PLAIN LOGIN CRAM-MD5")
 
     def test_auth_function(self):
         supported = {'PLAIN', 'LOGIN'}

Misc/NEWS.d/next/Library/2023-04-18-18-00-00.gh-issue-73936.wrxC5G.rst

@@ -0,0 +1,3 @@
+Added support for unicode logins/passwords for SMTP authentication.
+
+This includes SASLprep support, graciously contributed by MongoDB.com.