From 0360116a634a842b2bbe93528284679587a7c6c2 Mon Sep 17 00:00:00 2001
From: Arusekk <Arusekk@aio-libs>
Date: Mon, 20 May 2024 08:57:18 +0800
Subject: [PATCH] CVE-2024-34083

---
 aiosmtpd/docs/NEWS.rst | 5 +++++
 aiosmtpd/smtp.py       | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/aiosmtpd/docs/NEWS.rst b/aiosmtpd/docs/NEWS.rst
index 875ead0..fa8089b 100644
--- a/aiosmtpd/docs/NEWS.rst
+++ b/aiosmtpd/docs/NEWS.rst
@@ -15,6 +15,11 @@ Fixed/Improved
 * All Controllers now have more rationale design, as they are now composited from a Base + a Mixin
 * A whole bunch of annotations
 
+1.4.6 (2024-05-06)
+==================
+
+* STARTTLS is now fully enforced if used.
+
 
 1.4.4 (2023-01-17)
 ==================
diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py
index 09c85bf..8a20d13 100644
--- a/aiosmtpd/smtp.py
+++ b/aiosmtpd/smtp.py
@@ -504,6 +504,9 @@ class SMTP(asyncio.StreamReaderProtocol):
             self._reader._transport = transport
             self._writer._transport = transport
             self.transport = transport
+            # Discard any leftover unencrypted data
+            # See https://tools.ietf.org/html/rfc3207#page-7
+            self._reader._buffer.clear()  # type: ignore[attr-defined]
             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
             # _extra a protected attribute?
             self.session.ssl = self._tls_protocol._extra
-- 
2.27.0