starttls: Clear unencrypted commands from buffer

[Arusekk]

What do these changes do?

When a STARTTLS command is not the last one in a pipeline, extra unencrypted commands may treated as part of the encrypted communication, effectively allowing to bypass the ALLOWED_BEFORE_STARTTLS list used when require_starttls=True. This PR adds a buffer flush to ensure it does not happen.

Are there changes in behavior for the user?

No behaviour change. Documentation reflects the changes already.

Related issue number

None.

Checklist

• I think the code is well written
• Unit tests for the changes exist
• tox testenvs have been executed in the following environments:
  • Linux (Ubuntu 18.04, Ubuntu 20.04, Arch): {py36,py37,py38,py39}-{nocov,cov,diffcov}, qa, docs
  • Windows (7, 10): {py36,py37,py38,py39}-{nocov,cov,diffcov}
  • WSL 1.0 (Ubuntu 18.04): {py36,py37,py38,py39}-{nocov,cov,diffcov}, pypy3-{nocov,cov}, qa, docs
  • FreeBSD (12.2, 12.1, 11.4): {py36,pypy3}-{nocov,cov,diffcov}, qa
  • Cygwin: py36-{nocov,cov,diffcov}, qa, docs
• Documentation reflects the changes
• Add a news fragment into the NEWS.rst file

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.80%. Comparing base (0301e9c) to head (96b5ca2).
Report is 62 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #380      +/-   ##
==========================================
- Coverage   97.82%   97.80%   -0.02%     
==========================================
  Files          23       23              
  Lines        5706     5707       +1     
  Branches      764      764              
==========================================
  Hits         5582     5582              
- Misses         78       80       +2     
+ Partials       46       45       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.