Message 125932 - Python tracker

Well, imagine a web form that has a 'subject' text entry field, and the application does Message['Subject'] = subject_from_form as it builds a Message to hand off to smtp.sendmail.  If the application didn't sanitize the subject for newlines (and as a programmer I doubt I would have thought of doing that), then we can have header injection.  So, yes, it is analogous to an sql injection attack.

Since we don't have a report of an exploit, I'm fine with not backporting it.