Skip Menu |
 

This queue is for tickets about the MailTools CPAN distribution.

Report information
The Basics
Id: 113464
Status: resolved
Priority: 0/
Queue: MailTools

People
Owner: Nobody in particular
Requestors: andrew [...] topdog.za.net
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 2.15



MIME-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Spam-Status: No, score=-2 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Mailer: Apple Mail (2.1510)
X-Spam-Flag: NO
Message-ID: <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_45E589A3-F0D6-44C8-ADDE-3A31D6C0464E"; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Spam-Score: -2
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id D55D92403EE for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 17:31:46 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d08avdtaPgxw for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 17:31:45 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id DED97240396 for <bug-MailTools [...] rt.cpan.org>; Wed, 30 Mar 2016 17:31:44 -0400 (EDT)
Received: (qmail 23461 invoked by alias); 30 Mar 2016 21:31:44 -0000
Received: from mail.tdss.co.za (HELO mail.tdss.co.za) (84.200.48.199) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 14:31:38 -0700
Received: from [192.168.1.52] by mail.tdss.co.za with esmtpsa (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_1) (envelope-from <andrew [...] topdog.za.net>) id 1alNi4-0002IG-PE for bug-MailTools [...] rt.cpan.org; Wed, 30 Mar 2016 23:31:29 +0200
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] topdog.za.net
Delivered-To: cpan-bug+MailTools [...] hipster.bestpractical.com
Subject: Mail::Header incorrect decoding
Return-Path: <andrew [...] topdog.za.net>
X-RT-Mail-Extension: mailtools
X-Original-To: cpan-bug+MailTools [...] hipster.bestpractical.com
X-Spam-Check-BY: la.mx.develooper.com
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=topdog.za.net; s=mylove; h=Mime-Version:To:Date:Message-Id:Subject:Content-Type:From; bh=asz+G51NiwtTq0UjLIqHsfnBkk/tBRtzx/le9LcSkhw=; b=J7hqCYcy8Okpbw6SDiCt718fzOzjhZ8oy7pByt4Qma6yZZXRD0+FJnc3ywjh9FJe+mrdUIKBmIWYtdOUQ5KMa6rhJ2rnos7POfN21yABpbFHEeBD8rzOIkf0ngOctonZjVII/4+w0cT9wKXq2GxoO/rFkMOlo3kQmUmDFnC01HsQNbsq9T9eJuV4QXhql/KZqSrYsGmKFSJPxWDoJ/Vw9wmmwcrglAqS595wg+oe8JusfVwLH3IQdWxrbRlTgK3FtQWvIPJZQarwiyUo/LX9fg4yJRhy2bpChcBN8BXifvPeau2gpSfUdv8VwrWe1o++u6mOW0VrK/n46UklzWDBow==;
Date: Wed, 30 Mar 2016 23:31:25 +0200
X-Spam-Level:
To: bug-MailTools [...] rt.cpan.org
From: Andrew Colin Kissa <andrew [...] topdog.za.net>
X-RT-Interface: Email
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: ascii
Content-Length: 1086
Hi Messages containing crafted mime headers do not get decoded correctly allowing for malware loaded attachments to slip through filtering systems. Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="Kebbekus1958_payment_38C587.rar" Content-Transfer-Encoding: base64 When a message with the above is parsed, the file Kebbekus1958_payment_38C587.rar contains the base64 encoded data instead of the actual RAR file. The proper mime header i believe should be. Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="Kebbekus1958_payment_38C587.rar" Content-Transfer-Encoding: base64 Because the attachment is not decoded correctly, systems that extract archives to check files inside can be bypassed to deliver malware payloads in the archive attachments. Maintainer of MIME-Tools indicates the issue is in Mail::Header and suggested i report this to the upstream which is MailTools. - Andrew
Content-Description: Message signed with OpenPGP using GPGMail
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: attachment; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Length: 841
Download signature.asc
application/pgp-signature 841b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, score=-5.773 tagged_above=-99.9 required=10 tests=[AWL=0.227, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-5398-1459373508-946.113464-4-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net> <rt-4.0.18-5398-1459373508-946.113464-4-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20160330215413.GB19851 [...] moon.overmeer.net>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.773
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=mark [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 530222403E8 for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 17:54:30 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+eycEV4azTW for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 17:54:28 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id D31A4240396 for <bug-mailtools [...] rt.cpan.org>; Wed, 30 Mar 2016 17:54:27 -0400 (EDT)
Received: (qmail 24763 invoked by alias); 30 Mar 2016 21:54:27 -0000
Received: from fep26.mx.upcmail.net (HELO fep26.mx.upcmail.net) (62.179.121.46) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 14:54:19 -0700
Received: from edge04.upcmail.net ([192.168.13.239]) by viefep26-int.chello.at (InterMail vM.8.01.05.18 201-2260-151-151-20140610) with ESMTP id <20160330215414.RDIT8108.viefep26-int.chello.at [...] edge04.upcmail.net> for <bug-mailtools [...] rt.cpan.org>; Wed, 30 Mar 2016 23:54:14 +0200
Received: from moon.overmeer.net ([89.99.148.229]) by edge04.upcmail.net with edge id cMuA1s00U4xBygR01MuApP; Wed, 30 Mar 2016 23:54:11 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id E0CE9107F6DD for <bug-MailTools [...] rt.cpan.org>; Wed, 30 Mar 2016 23:54:13 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id D2078107F6DC for <bug-MailTools [...] rt.cpan.org>; Wed, 30 Mar 2016 23:54:13 +0200 (CEST)
Delivered-To: cpan-bug+mailtools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
User-Agent: Mutt/1.5.23 (2014-03-12)
Domainkey-Signature: a=rsa-sha1; c=nofws; d=overmeer.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=home; b=lNh1jF8dA8ikhs8Gw0L8I74ptzYjxzLbw WImfqOft9WX0E3F+nP8QPo+44k6Jz9AxAfV1Dl6rxTC67s2/Bm4HG+9kpkjnw9xP W87pd7v90VhgeuuIgyjqVvwJ5yK5VJUyD3eKvvXFx7VaLld/PwTQm0oRoFiEG1Pe F5PRL9NyDs=
Return-Path: <mark [...] overmeer.net>
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=uQcdBZpeXhKtM19UnF52oc1Ibrc=; b=ehU/x/Q Gl8HxziYq7ovE672BiwxHxWid9TrxxZoTkYGfM7gBHJshJTAoCbZGmblnR8L08oe 8LgfbTT/0WVICrhvE3yIAzQaY/T/ZE4aF7SLMILNwsffjdLpVn6ypkHnLIeDJKTB tRcFE4VpoegCoWnVmrTsWNPyDAeWdIjcsMIE=
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+mailtools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Wed, 30 Mar 2016 23:54:13 +0200
X-Sourceip: 89.99.148.229
X-Spam-Level:
To: Andrew Colin Kissa via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-4.0.18-11892-1459374871-1766.113464-0-0 [...] rt.cpan.org>
Content-Length: 2470
Download (untitled) / with headers
text/plain 2.4k
* Andrew Colin Kissa via RT (bug-MailTools@rt.cpan.org) [160330 21:32]: Show quoted text
> Wed Mar 30 17:31:48 2016: Request 113464 was acted upon. > Transaction: Ticket created by andrew@topdog.za.net > Queue: MailTools > Subject: Mail::Header incorrect decoding > Requestors: andrew@topdog.za.net > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=113464 > > > Messages containing crafted mime headers do not get decoded correctly > allowing for malware loaded attachments to slip through filtering systems. > > Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" > Content-Type: application/x-rar-compressed; x-unix-mode=0600; > name="Kebbekus1958_payment_38C587.rar" > Content-Transfer-Encoding: base64 > > When a message with the above is parsed, the file > Kebbekus1958_payment_38C587.rar > contains the base64 encoded data instead of the actual RAR file.
Yes: Mail::Header is 30 years old, even before MIME was published as RFC. It does not handle Content-Transfer-Encoding. Show quoted text
> The proper mime header i believe should be. > > Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" > Content-Type: application/x-rar-compressed; x-unix-mode=0600; > name="Kebbekus1958_payment_38C587.rar" > Content-Transfer-Encoding: base64
I do not see the difference. Show quoted text
> Because the attachment is not decoded correctly, systems that extract > archives to check files inside can be bypassed to deliver malware payloads > in the archive attachments.
If the application uses any MailTools component alone, it will not be able to process complex messages. Applications based on MailTools modules need additional logic to look at the MIME headers for additional processing, like base64 decoding. For instance, MIME-Tools logic. Show quoted text
> Maintainer of MIME-Tools indicates the issue is in Mail::Header and > suggested i report this to the upstream which is MailTools.
I see no way to exploit this. Can you detail you someone would be able to use it? I advice everyone not to use this ancient module for process modern emails. There are many very capable alternatives on CPAN, like MailBox. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Spam-Status: No, score=-4 tagged_above=-99.9 required=10 tests=[AWL=2.000, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-11892-1459374871-783.113464-6-0 [...] rt.cpan.org>
X-Mailer: Apple Mail (2.1510)
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net> <rt-4.0.18-5398-1459373508-946.113464-4-0 [...] rt.cpan.org> <20160330215413.GB19851 [...] moon.overmeer.net> <rt-4.0.18-11892-1459374871-783.113464-6-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Content-Type: multipart/signed; boundary="Apple-Mail=_9A5F1CF6-6D4C-4B2A-AF48-44E93DC84EF4"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID: <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net>
X-Spam-Score: -4
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] topdog.za.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 293162403E8 for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:02:47 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pngYhH6saCPL for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:02:46 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id C3FDF240396 for <bug-MailTools [...] rt.cpan.org>; Wed, 30 Mar 2016 18:02:45 -0400 (EDT)
Received: (qmail 26750 invoked by alias); 30 Mar 2016 22:02:44 -0000
Received: from mail.tdss.co.za (HELO mail.tdss.co.za) (84.200.48.199) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 15:02:42 -0700
Received: from [192.168.1.52] by mail.tdss.co.za with esmtpsa (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_1) (envelope-from <andrew [...] topdog.za.net>) id 1alOCC-0002YR-Rf for bug-MailTools [...] rt.cpan.org; Thu, 31 Mar 2016 00:02:37 +0200
Delivered-To: cpan-bug+MailTools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
Return-Path: <andrew [...] topdog.za.net>
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=topdog.za.net; s=mylove; h=In-Reply-To:To:References:Date:Subject:Mime-Version:Message-Id:Content-Type:From; bh=KgSw/RwqcZ112+Aprzb7SHAkKa0qe6LDEKafzPa1shM=; b=D8iJA9MPVj2C2THA12MgP6kuka9lX5oEZHUUjiivYAxUDlLpPdS0+FPftTT4NaiKM/QQPwjy8bC0EJjgAy+dRAapRn/c/E3cpE7oI1zeWI7H89xjhs1jADBRQcdYPIymnpKJcBvHz7LN+IKs9OQg9GmOP1KOGcMULffGfZZ45GGxAHruuXhOoTvghZECnASIIGdw68ihPtTDnRjRBu1iXuN6M1KSsBZK9ku5KtxBJcHyEPBiFQ/T8v0IlIYo7AHWwxzXnh2E8p5pj2dVFdp0LBLedDoWgx5mYYwR4uue5KXNJR87WOuWbD4tDoE6X2Zgqy0Pc3e8HvV7pLJh1C4svw==;
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+MailTools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Thu, 31 Mar 2016 00:02:32 +0200
X-Spam-Level:
To: bug-MailTools [...] rt.cpan.org
From: Andrew Colin Kissa <andrew [...] topdog.za.net>
RT-Message-ID: <rt-4.0.18-5398-1459375367-221.113464-0-0 [...] rt.cpan.org>
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 358
Download (untitled) / with headers
text/plain 358b
On 30 Mar 2016, at 11:54 PM, "Mark Overmeer via RT" <bug-MailTools@rt.cpan.org> wrote: Show quoted text
> I see no way to exploit this. Can you detail you someone would be > able to use it?
It is not an exploit per say, the bug is used to bypass filtering of prohibited attachments, which then reach the end user who may open the attachment and get infected by malware.
Content-Description: Message signed with OpenPGP using GPGMail
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: attachment; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Length: 841
Download signature.asc
application/pgp-signature 841b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, score=-5.781 tagged_above=-99.9 required=10 tests=[AWL=0.219, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net> <rt-4.0.18-5398-1459373508-946.113464-4-0 [...] rt.cpan.org> <20160330215413.GB19851 [...] moon.overmeer.net> <rt-4.0.18-11892-1459374871-783.113464-6-0 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20160330222533.GA20687 [...] moon.overmeer.net>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.781
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=mark [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id BFA382403E7 for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:25:55 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KmOuR0oPBPiR for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:25:54 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id B718A240396 for <bug-mailtools [...] rt.cpan.org>; Wed, 30 Mar 2016 18:25:53 -0400 (EDT)
Received: (qmail 28200 invoked by alias); 30 Mar 2016 22:25:52 -0000
Received: from fep13.mx.upcmail.net (HELO fep13.mx.upcmail.net) (62.179.121.33) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 15:25:45 -0700
Received: from edge04.upcmail.net ([192.168.13.239]) by viefep13-int.chello.at (InterMail vM.8.01.05.18 201-2260-151-151-20140610) with ESMTP id <20160330222535.CRDJ16301.viefep13-int.chello.at [...] edge04.upcmail.net> for <bug-mailtools [...] rt.cpan.org>; Thu, 31 Mar 2016 00:25:35 +0200
Received: from moon.overmeer.net ([89.99.148.229]) by edge04.upcmail.net with edge id cNRW1s00N4xBygR01NRWp1; Thu, 31 Mar 2016 00:25:32 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id 7C9FF1106261 for <bug-MailTools [...] rt.cpan.org>; Thu, 31 Mar 2016 00:25:33 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id 6EB2E110625F for <bug-MailTools [...] rt.cpan.org>; Thu, 31 Mar 2016 00:25:33 +0200 (CEST)
Delivered-To: cpan-bug+mailtools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
User-Agent: Mutt/1.5.23 (2014-03-12)
Domainkey-Signature: a=rsa-sha1; c=nofws; d=overmeer.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=home; b=JSWuILRmf7btOmIfH5Is5sAjfQVqXKYq/ +o0S/sMeEe8OKtNrvIIUrBW/cPBMNbaGirLTjZkWMO2YVvadbPQNcuzHMTUuVy2n dvxVnDYK+ouxD3G0/czeomOn0umKp6EWvjz4SquPJrLbBPFhQT7Mt0KMrcOd1wbs BJ0piGBMgY=
Return-Path: <mark [...] overmeer.net>
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=+QAEwHcA04G0XDfGXj65Kl42scU=; b=HIwfM7L FhXKgOAdRlhQtO4gIrMOiStifrRKZj1FkecgpO0CPUTJ+mQk62tZ9slr3m9idRe0 K/LwbKR7zKxl17Nc0Z9JCBCXjL4nyVNbqyPz0LMUodct7qN5yo6icSQNRleFF9kM txbnK75iTLUDu+bmGRCIRcMii5ulLIiwvmDc=
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+mailtools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Thu, 31 Mar 2016 00:25:33 +0200
X-Sourceip: 89.99.148.229
X-Spam-Level:
To: Andrew Colin Kissa via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-4.0.18-18374-1459376756-983.113464-0-0 [...] rt.cpan.org>
Content-Length: 1256
Download (untitled) / with headers
text/plain 1.2k
* Andrew Colin Kissa via RT (bug-MailTools@rt.cpan.org) [160330 22:04]: Show quoted text
> Queue: MailTools > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=113464 > >
> > I see no way to exploit this. Can you detail you someone would be > > able to use it?
> > It is not an exploit per say, the bug is used to bypass filtering > of prohibited attachments, > which then reach the end user who may open the attachment and get > infected by malware.
Why would it by-pass the filters? An application which scans for spam and malware must first prepare the content of the message to make it possible to scan. Well, when that code uses MailTools, it needs to do the base64 decoing itself. If it does not, that application has a bug. It's not MailTools fault if it is used incorrectly. It's a very limited module. So: no, lacking of handling of Content-Transfer-Encoding does not not have any effect on filtering software. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Spam-Status: No, score=-5 tagged_above=-99.9 required=10 tests=[AWL=1.000, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-18374-1459376756-1150.113464-6-0 [...] rt.cpan.org>
X-Mailer: Apple Mail (2.1510)
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net> <rt-4.0.18-5398-1459373508-946.113464-4-0 [...] rt.cpan.org> <20160330215413.GB19851 [...] moon.overmeer.net> <rt-4.0.18-11892-1459374871-783.113464-6-0 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <20160330222533.GA20687 [...] moon.overmeer.net> <rt-4.0.18-18374-1459376756-1150.113464-6-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Content-Type: multipart/signed; boundary="Apple-Mail=_C47BF12B-E32F-44B4-AC52-16AE795E6EDC"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID: <2DB79BDC-0869-4658-9B12-C857C75EB660 [...] topdog.za.net>
X-Spam-Score: -5
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] topdog.za.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 8DA712403E7 for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:31:31 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWUFpHM6Ld4C for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:31:30 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 095B0240396 for <bug-MailTools [...] rt.cpan.org>; Wed, 30 Mar 2016 18:31:29 -0400 (EDT)
Received: (qmail 28488 invoked by alias); 30 Mar 2016 22:31:29 -0000
Received: from mail.tdss.co.za (HELO mail.tdss.co.za) (84.200.48.199) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 15:31:25 -0700
Received: from [192.168.1.52] by mail.tdss.co.za with esmtpsa (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_1) (envelope-from <andrew [...] topdog.za.net>) id 1alOdz-0002g4-Tv for bug-MailTools [...] rt.cpan.org; Thu, 31 Mar 2016 00:31:20 +0200
Delivered-To: cpan-bug+MailTools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
Return-Path: <andrew [...] topdog.za.net>
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=topdog.za.net; s=mylove; h=In-Reply-To:To:References:Date:Subject:Mime-Version:Message-Id:Content-Type:From; bh=mpGDh1t5oxdnoax0s/tbjlCwPEvdvT4z090LYXpM7Mk=; b=i4PWa/X0DvdyFBLc6e8gkxZ2yp1VmVHbbxAs4QjtZPc74NcLOiyPbgWySk1cg1vYsusbtP6MnHR0AA+34jXWE18VvTECgf2jmNonw2mjy+ojJSwGJHzrLUdKXYHgS8ygph4BiWQEtgVnchNZ+/1HcN8JfYk/quNzz/O49BEXAbDBP7bZdEknNrteBJ0g3UJRxXkZ6uI96lH3BcklYOrEPrcwnw3LrvW11L7UCAFPnsY8L3JyUnJZvoSfeyqmL/LhQszg+iPMRF9oC2Y7zWjS4iVjjMoWDX6xztBXPHy5zKRZ68Xza6HBi1GYUMUJQf4XcjFSXPVXdxETbZ8HnQU62g==;
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+MailTools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Thu, 31 Mar 2016 00:31:17 +0200
X-Spam-Level:
To: bug-MailTools [...] rt.cpan.org
From: Andrew Colin Kissa <andrew [...] topdog.za.net>
RT-Message-ID: <rt-4.0.18-18374-1459377092-636.113464-0-0 [...] rt.cpan.org>
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 520
Download (untitled) / with headers
text/plain 520b
On 31 Mar 2016, at 12:25 AM, "Mark Overmeer via RT" <bug-MailTools@rt.cpan.org> wrote: Show quoted text
> An application which scans for spam and malware must first prepare the > content of the message to make it possible to scan. Well, when that > code uses MailTools, it needs to do the base64 decoing itself. If it > does not, that application has a bug. It's not MailTools fault if it > is used incorrectly. It's a very limited module.
Thanks, i guess this needs to be fixed in MIME-Tools which is what sub classes MailTools.
Content-Description: Message signed with OpenPGP using GPGMail
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: attachment; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Length: 841
Download signature.asc
application/pgp-signature 841b

Message body not shown because it is not plain text.

MIME-Version: 1.0
X-Spam-Status: No, score=-3.788 tagged_above=-99.9 required=10 tests=[AWL=-1.788, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-18374-1459377092-150.113464-5-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Spam-Flag: NO
X-RT-Interface: API
References: <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net> <rt-4.0.18-5398-1459373508-946.113464-4-0 [...] rt.cpan.org> <20160330215413.GB19851 [...] moon.overmeer.net> <rt-4.0.18-11892-1459374871-783.113464-6-0 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <20160330222533.GA20687 [...] moon.overmeer.net> <rt-4.0.18-18374-1459376756-1150.113464-6-0 [...] rt.cpan.org> <2DB79BDC-0869-4658-9B12-C857C75EB660 [...] topdog.za.net> <rt-4.0.18-18374-1459377092-150.113464-5-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20160330224935.GB20687 [...] moon.overmeer.net>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -3.788
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=mark [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 287642403E7 for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:49:47 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E0nytgC6cMJ for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 18:49:45 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 25003240396 for <bug-mailtools [...] rt.cpan.org>; Wed, 30 Mar 2016 18:49:45 -0400 (EDT)
Received: (qmail 29345 invoked by alias); 30 Mar 2016 22:49:44 -0000
Received: from fep14.mx.upcmail.net (HELO fep14.mx.upcmail.net) (62.179.121.34) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 15:49:41 -0700
Received: from edge04.upcmail.net ([192.168.13.239]) by viefep14-int.chello.at (InterMail vM.8.01.05.18 201-2260-151-151-20140610) with ESMTP id <20160330224936.EIEU14977.viefep14-int.chello.at [...] edge04.upcmail.net> for <bug-mailtools [...] rt.cpan.org>; Thu, 31 Mar 2016 00:49:36 +0200
Received: from moon.overmeer.net ([89.99.148.229]) by edge04.upcmail.net with edge id cNpX1s00o4xBygR01NpYjy; Thu, 31 Mar 2016 00:49:32 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id 6AEEE110625F for <bug-MailTools [...] rt.cpan.org>; Thu, 31 Mar 2016 00:49:35 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id 5C1D3107F6DD for <bug-MailTools [...] rt.cpan.org>; Thu, 31 Mar 2016 00:49:35 +0200 (CEST)
Delivered-To: cpan-bug+mailtools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
User-Agent: Mutt/1.5.23 (2014-03-12)
Domainkey-Signature: a=rsa-sha1; c=nofws; d=overmeer.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=home; b=U0tU/VZoCYPbUMJQjic9AmF5/jjULfe1A +63hOPlDm6UvIAwSi4AyBZJhK5uzEtEwKC4a4h+ihnGWPexqLG+itlC9yyGffOuc TRtMmMb6vlA55Qd4mt/LgCGbT0bkBHAUcVm7KGJ/SN/ZhnYDnFXOzmihyrDQnvAr KdRFkptpgk=
Return-Path: <mark [...] overmeer.net>
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=/lIrkOvS8XmYANiBzkwKnjM39dM=; b=gaKZocz YVtarVvEKphR5OPuw1qpwBExZXCQqQrAQCqmq/aJTpd6DcbtiF+RjfdDaoIB2nCo DyGxoIZNN8jQ3kYibTfO+KMR8iwMq5tqpPcpiHqDijr3ftIPRBqKXkMzVbqENzSE a6efIguH6rYwEp3NO8EAokCUksQ0OiCBrM9k=
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+mailtools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Thu, 31 Mar 2016 00:49:35 +0200
X-Sourceip: 89.99.148.229
X-Spam-Level:
To: Andrew Colin Kissa via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-4.0.18-5398-1459378188-569.113464-0-0 [...] rt.cpan.org>
Content-Length: 1130
Download (untitled) / with headers
text/plain 1.1k
* Andrew Colin Kissa via RT (bug-MailTools@rt.cpan.org) [160330 22:31]: Show quoted text
> Queue: MailTools > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=113464 > > > Thanks, i guess this needs to be fixed in MIME-Tools which is what > sub classes MailTools.
I have no knowledge about MIME-Tools, but a quick scan shows http://search.cpan.org/~dskoll/MIME-tools-5.507/lib/MIME/Body.pm ### Dump the ENCODED body data to a filehandle: $body->print(\*STDOUT); ### Slurp all the UNENCODED data in, and put it in a scalar: $string = $body->as_string; ### Slurp all the UNENCODED data in, and put it in an array of lines: @lines = $body->as_lines; So, the latted two options are documented to decode base64, and the first is not. It is documented, hence not a bug of the module. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-5398-1459378188-569.113464-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-9890-1459378943-1885.113464-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 871
Download (untitled) / with headers
text/plain 871b
Hi, No, here's the issue... Mail::Header stops parsing headers if it encounters the line: name="whatever"; because it doesn't match the $FIELD_NAME regex. It should really only stop when it hits a blank line (or have an option to do so.) I don't really know how it can intelligently handle a malformed line in the middle of a bunch of headers. Ignore it, maybe? Report it back somehow? To summarize, when Mail::Header is fed: Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="Kebbekus1958_payment_38C587.rar" Content-Transfer-Encoding: base64 It stops at the name= line and the only headers we get back are: Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" Content-Type: application/x-rar-compressed; x-unix-mode=0600; Regards, Dianne.
MIME-Version: 1.0
X-Spam-Status: No, score=-5.731 tagged_above=-99.9 required=10 tests=[AWL=0.269, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20160330231001.GD20687 [...] moon.overmeer.net>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.731
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=mark [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 04A902403F1 for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 19:10:20 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LI19r3uSQPzw for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Wed, 30 Mar 2016 19:10:18 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 18F802403F4 for <bug-mailtools [...] rt.cpan.org>; Wed, 30 Mar 2016 19:10:17 -0400 (EDT)
Received: (qmail 30423 invoked by alias); 30 Mar 2016 23:10:17 -0000
Received: from fep13.mx.upcmail.net (HELO fep13.mx.upcmail.net) (62.179.121.33) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 30 Mar 2016 16:10:12 -0700
Received: from edge04.upcmail.net ([192.168.13.239]) by viefep13-int.chello.at (InterMail vM.8.01.05.18 201-2260-151-151-20140610) with ESMTP id <20160330231001.DYYQ16301.viefep13-int.chello.at [...] edge04.upcmail.net> for <bug-mailtools [...] rt.cpan.org>; Thu, 31 Mar 2016 01:10:01 +0200
Received: from moon.overmeer.net ([89.99.148.229]) by edge04.upcmail.net with edge id cP9x1s0124xBygR01P9xfq; Thu, 31 Mar 2016 01:09:57 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id 310B21106261 for <bug-MailTools [...] rt.cpan.org>; Thu, 31 Mar 2016 01:10:01 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id 24300110625F for <bug-MailTools [...] rt.cpan.org>; Thu, 31 Mar 2016 01:10:01 +0200 (CEST)
Delivered-To: cpan-bug+mailtools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
User-Agent: Mutt/1.5.23 (2014-03-12)
Domainkey-Signature: a=rsa-sha1; c=nofws; d=overmeer.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=home; b=fa6pZsgSLnC6KhFJVoB3MIgLlItwzLrvx zHx73OmjKWfcYe9xtrlL1wo5auOaMz7HUyQ2HNrq4Yxz+Nms9nL87S9Im3V8fbBW yxkNE2uZxvjFduoADbI2U1KMy41V7hfpAWfZlLD7kFS7Frdm1vSHrxnRCgEECU4S hNsJ9EFLMQ=
Return-Path: <mark [...] overmeer.net>
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=bnCw9C6lygzEDHtkrxdu55yg1ag=; b=AyfHn2+ pD6lgrN8zDu5W49wWHyINiUYD34LC+mjF9QHiAJFJ4wZGjBJ779Sr5XfqizRZaGN UtK2WNbQqEghjtFvtkpJtv+xD5MAzA3LZwhb7SD9QDtdPEOfUvc4XRWgKfc27AoL yO1rKMyijTaQpwOT6Wnq/nJsNqJtv/Zn4LTw=
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+mailtools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Thu, 31 Mar 2016 01:10:01 +0200
X-Sourceip: 89.99.148.229
X-Spam-Level:
To: Dianne Skoll via RT <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-4.0.18-6373-1459379420-2.113464-0-0 [...] rt.cpan.org>
Content-Length: 1312
Download (untitled) / with headers
text/plain 1.2k
* Dianne Skoll via RT (bug-MailTools@rt.cpan.org) [160330 23:02]: Show quoted text
> Queue: MailTools > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=113464 > > > No, here's the issue... Mail::Header stops parsing headers if it encounters > the line: > name="whatever"; > > because it doesn't match the $FIELD_NAME regex. It should really > only stop when it hits a blank line (or have an option to do so.) > > I don't really know how it can intelligently handle a malformed line > in the middle of a bunch of headers. Ignore it, maybe? Report it back > somehow?
Ah, that's a clearer report. Usually, you stop when you cannot handle mistakes automatically. Do the other lines end-up in the body? I have no idea about the logic you use around it: there are a many ways. As far as I can see in the code, you get croak "Bad RFC822 field name '$tag'\n"; So, the program needs to eval the header reading, and decide what to do. Probably best to trash the whole message. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
X-GPC-Mailscanner-ID: B734D11E0E5C.A9DAC
MIME-Version: 1.0
X-Spam-Status: No, score=-4.301 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
X-Spam-Flag: NO
X-GPC-Mailscanner: Found to be clean
X-RT-Interface: API
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <56FF3908.7030408 [...] msapiro.net>
Content-Type: multipart/signed; boundary="B4FLcDkbqxXVaR60m2ds53dXASjcuW752"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Spam-Score: -4.301
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] msapiro.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id A317724007F for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Fri, 1 Apr 2016 23:14:37 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2TFysOlogAM for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Fri, 1 Apr 2016 23:14:35 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id A35A4240027 for <bug-mailtools [...] rt.cpan.org>; Fri, 1 Apr 2016 23:14:35 -0400 (EDT)
Received: (qmail 22636 invoked by alias); 2 Apr 2016 03:14:34 -0000
Received: from sbh16.songbird.com (HELO sbh16.songbird.com) (72.52.113.16) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Fri, 01 Apr 2016 20:14:28 -0700
Received: from [10.211.115.100] (45-24-217-241.lightspeed.sntcca.sbcglobal.net [45.24.217.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mark) by sbh16.songbird.com (Postfix) with ESMTPSA id B734D11E0E5C for <bug-MailTools [...] rt.cpan.org>; Fri, 1 Apr 2016 20:14:17 -0700 (PDT)
Delivered-To: cpan-bug+mailtools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
Return-Path: <mark [...] msapiro.net>
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=msapiro.net; s=default; t=1459566857; bh=HBOcbbEdJhPLOMJJSV3NPHNpSDoFH4umwXQT36ZGvTw=; h=To:From:Subject:Date; b=JNv9DGsB00A7yJUUJ++nhfB+mH9UJRrhVn195jONkzd22wDY+60vG0KKx2VOqMWLm VyyA/rVVXPLtIvsaGlFolQWutnebvCZTm31qteeE/qPSgXNny5jrAZ2BvvZBI0uXLI 6a+JcqRC5zAtdzXgcULdNme0upZMnKD6zeqJDf2I=
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+mailtools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
X-Old-Spam-Status: No
Date: Fri, 1 Apr 2016 20:14:16 -0700
X-Spam-Level:
X-GPC-Mailscanner-Spamcheck: not spam, SpamAssassin (not cached, score=-1.86, required 5, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -0.75, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, X_GPC_SASL -0.01)
To: bug-MailTools [...] rt.cpan.org
From: Mark Sapiro <mark [...] msapiro.net>
X-GPC-Mailscanner-From: mark [...] msapiro.net
RT-Message-ID: <rt-4.0.18-26602-1459566878-240.113464-0-0 [...] rt.cpan.org>
Content-Length: 0
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
Message-ID: <56FF3908.7030408 [...] msapiro.net>
To: bug-MailTools [...] rt.cpan.org
From: Mark Sapiro <mark [...] msapiro.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Length: 1282
Download (untitled) / with headers
text/plain 1.2k
Dianne wrote: Show quoted text
> To summarize, when Mail::Header is fed: > > Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" > Content-Type: application/x-rar-compressed; x-unix-mode=0600; > name="Kebbekus1958_payment_38C587.rar" > Content-Transfer-Encoding: base64 > > It stops at the name= line and the only headers we get back are: > > Content-Disposition: attachment; filename="Kebbekus1958_payment_38C587.rar" > Content-Type: application/x-rar-compressed; x-unix-mode=0600;
Just to add a bit, this issue exists with both the extract method and the read method of Mail::Header. The issue is that the first line encountered which is not a continuation of a folded header (begins with whitespace) or a 'Field-Name:' line stops processing of the headers. RFC 5322, section 2.1 and it's predecessors are clear that only an empty line marks the end of the headers. Granted there are broken agents that may not leave an empty line at the end of the headers, but at least the code could look ahead at the line following the non-whitespace, non-header line and if that is a 'Field-Name:' line, continue processing with it. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Content-Description: OpenPGP digital signature
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: attachment; filename="signature.asc"
Content-Length: 181
Download signature.asc
application/pgp-signature 181b

Message body not shown because it is not plain text.

MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-6373-1459379420-2.113464-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org> <20160330231001.GD20687 [...] moon.overmeer.net> <rt-4.0.18-6373-1459379420-2.113464-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-2075-1459777259-673.0-0-0 [...] rt.cpan.org>
Message-ID: <rt-4.0.18-2075-1459777259-1163.113464-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
From: cpan [...] perl.wizbit.be
Content-Length: 4118
Show quoted text
> As far as I can see in the code, you get > > croak "Bad RFC822 field name '$tag'\n"; > > So, the program needs to eval the header reading, and decide what to > do. > Probably best to trash the whole message.
That does not appear to be the case.. Since example code is always clearer: #!/usr/bin/perl use strict; use warnings; use Mail::Header; use File::Temp qw# tempfile #; my $headers = <<EOF; Content-Disposition: inline; filename="testing.txt" Content-Type: text/ascii; x-unix-mode=0600; name="testing.txt" Content-Transfer-Encoding: base64 EOF my ($fh_out, $filename) = tempfile(); print $fh_out $headers; close $fh_out; open my $fh_in, "<", $filename or die "Can't open $filename: $!"; my $obj = Mail::Header->new([ split m/\n/, $headers ]); print "Extract method:\n"; print "---------------\n"; print $obj->as_string, "\n"; print "\n"; print "Read method:\n"; print "------------\n"; my $obj2 = Mail::Header->new($fh_in); print $obj2->as_string, "\n"; __END__ Running this will show: Extract method: --------------- Content-Disposition: inline; filename="testing.txt" Content-Type: text/ascii; x-unix-mode=0600; Read method: ------------ Content-Disposition: inline; filename="testing.txt" Content-Type: text/ascii; x-unix-mode=0600; => No fatal error is given; When this module is used via MIME::Parser: it has extra code to detect that Mail::Header did not consume all input (and thus all headers); it does flag this as an error but in the default configuration it continues processing the message. The body that followed after the above header was base64 encoded, MIME::Parser however will not base64 decode it since the parsed headers do *not* include 'Content-Transfer-Encoding: base64'. Checking with some mail clients: (i.e. mime part with the above headers + base64 encoded content): both Outlook and Thunderbird are forgiving and base64 decodes the attachment anyway.. There is a case to be made to fixing this but I guess there is also a case to be made for not fixing it (since it are not valid headers).. Looking at this from the point of view of a mail filter such as amavisd: it uses MIME::Parser (which then uses Mail::Header) amavisd does check the result of MIME::Parser (which did record the error) and in a default setup it would reject the mail because of the bad header; The bad header check however can be disabled (or address can be white-listed) and if that happens then other features of amavisd will no longer work correctly.. For example: if the attachment is a ZIP archive then it will attempt to extract it but if the headers are mangled then this will not work since the body is still base64 encoded which will make it impossible to extract/check the archive.. (i.e. virus scanning) Possible patch: --- Mail/Header.pm.orig 2016-04-04 12:36:23.000000000 +0200 +++ Mail/Header.pm 2016-04-04 15:20:36.000000000 +0200 @@ -282,9 +282,11 @@ { my ($self, $lines) = @_; $self->empty; - while(@$lines && $lines->[0] =~ /^($FIELD_NAME|From )/o) - { my $tag = $1; - my $line = shift @$lines; + while(@$lines) + { my $line = shift @$lines; + $line =~ /^($FIELD_NAME|From )/o or next; + my $tag = $1; + $line .= shift @$lines while @$lines && $lines->[0] =~ /^[ \t]+/o; @@ -320,10 +322,12 @@ { ($tag, $line) = _fmt_line $self, $tag, $line; _insert $self, $tag, $line, -1 if defined $line; + $line = undef; + $tag = undef; } - defined $ln && $ln =~ /^($FIELD_NAME|From )/o - or last; + defined $ln or last; + $ln =~ /^($FIELD_NAME|From )/o or next; ($tag, $line) = ($1, $ln); } Running with the above script: Extract method: --------------- Content-Disposition: inline; filename="testing.txt" Content-Type: text/ascii; x-unix-mode=0600; Content-Transfer-Encoding: base64 Read method: ------------ Content-Disposition: inline; filename="testing.txt" Content-Type: text/ascii; x-unix-mode=0600; Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Spam-Status: No, score=-4.9 tagged_above=-99.9 required=10 tests=[AWL=1.000, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
In-Reply-To: <rt-4.0.18-2075-1459777259-1441.113464-5-0 [...] rt.cpan.org>
Content-Disposition: inline
X-Spam-Flag: NO
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org> <20160330231001.GD20687 [...] moon.overmeer.net> <rt-4.0.18-6373-1459379420-2.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-2075-1459777259-1441.113464-5-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <20160405144127.GM18315 [...] moon.overmeer.net>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -4.9
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id D150E2403B7 for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Tue, 5 Apr 2016 10:42:46 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wYRCgxnvkPu for <cpan-bug+mailtools [...] hipster.bestpractical.com>; Tue, 5 Apr 2016 10:42:40 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id A51C52403AA for <bug-mailtools [...] rt.cpan.org>; Tue, 5 Apr 2016 10:42:40 -0400 (EDT)
Received: (qmail 29351 invoked by alias); 5 Apr 2016 14:42:39 -0000
Received: from fep19.mx.upcmail.net (HELO fep19.mx.upcmail.net) (62.179.121.39) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Tue, 05 Apr 2016 07:42:36 -0700
Received: from edge04.upcmail.net ([192.168.13.239]) by viefep19-int.chello.at (InterMail vM.8.01.05.18 201-2260-151-151-20140610) with ESMTP id <20160405144230.QQR126.viefep19-int.chello.at [...] edge04.upcmail.net> for <bug-mailtools [...] rt.cpan.org>; Tue, 5 Apr 2016 16:42:30 +0200
Received: from moon.overmeer.net ([89.99.148.229]) by edge04.upcmail.net with edge id eehR1s01y4xBygR01ehREK; Tue, 05 Apr 2016 16:41:28 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id AB3A81106269 for <bug-MailTools [...] rt.cpan.org>; Tue, 5 Apr 2016 16:41:27 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id 9D8381106265 for <bug-MailTools [...] rt.cpan.org>; Tue, 5 Apr 2016 16:41:27 +0200 (CEST)
Delivered-To: cpan-bug+mailtools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
User-Agent: Mutt/1.5.23 (2014-03-12)
Return-Path: <mark [...] nluug.nl>
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=J7hTytKDr6VUcgRUxJA6664EXfM=; b=BdgRuBU DxFjB2dh0Zs/39Kktkh2pzdvxGRnzddnzGnf4PAXWiC7lvj8v0fkYIGhSyMPnmqF vZ2IJHnN1e8L0FDVUQ5yDujnwSK+hkp92s8h6roTChx+UVSTexNjiBcdBPjhnjig w7ngQzBB0MMSNtIDsFLFr5AYs/aDiPUeoek0=
X-Spam-Check-BY: la.mx.develooper.com
X-Original-To: cpan-bug+mailtools [...] hipster.bestpractical.com
X-RT-Mail-Extension: mailtools
Date: Tue, 5 Apr 2016 16:41:27 +0200
X-Sourceip: 89.99.148.229
X-Spam-Level:
To: "cpan [...] perl.wizbit.be via RT" <bug-MailTools [...] rt.cpan.org>
From: Mark Overmeer <mark [...] nluug.nl>
RT-Message-ID: <rt-4.0.18-14467-1459867367-585.113464-0-0 [...] rt.cpan.org>
Content-Length: 1396
Download (untitled) / with headers
text/plain 1.3k
* cpan@perl.wizbit.be via RT (bug-MailTools@rt.cpan.org) [160404 13:41]: Show quoted text
> That does not appear to be the case..
I cannot deny someone who put so much effort in it ;-) Show quoted text
> => No fatal error is given;
_fmt_line does that, but apparently only when the field-name gets accepted first. Show quoted text
> both Outlook and Thunderbird are forgiving and base64 decodes the > attachment anyway..
Wow, that looks to me as a security risk. You cannot expect all virus/spam- filters to do the same. Amavisd should also get this automatic behavior to be safe. Show quoted text
> Possible patch:
Patch applied with small change: Show quoted text
> > @@ -320,10 +322,12 @@ > { ($tag, $line) = _fmt_line $self, $tag, $line; > _insert $self, $tag, $line, -1 > if defined $line; > + $line = undef; > + $tag = undef;
($line, $tag) = (); We could also add the fragment which is incorrectly folder to its field line... but that may have security consequences as well. I think that throwing it away is safer. When you agree, I'll make a release -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-14467-1459867367-585.113464-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org> <20160330231001.GD20687 [...] moon.overmeer.net> <rt-4.0.18-6373-1459379420-2.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-2075-1459777259-1441.113464-5-0 [...] rt.cpan.org> <20160405144127.GM18315 [...] moon.overmeer.net> <rt-4.0.18-14467-1459867367-585.113464-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-20649-1459971581-1071.0-0-0 [...] rt.cpan.org>
Message-ID: <rt-4.0.18-20649-1459971581-960.113464-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
From: cpan [...] perl.wizbit.be
Content-Length: 3994
Download (untitled) / with headers
text/plain 3.9k
Show quoted text
> We could also add the fragment which is incorrectly folder to its field > line... but that may have security consequences as well. I think that > throwing it away is safer. >
I have no real opinion about that; for my use case the fragment is irrelevant so throwing it away is good; adding it to the previous line would also be good.. But thinking about the issue and patch some more: There might be two extra things that need to be considered: a) (ab)using Mail::Header to detect incorrect MIME headers Before the patch Mail::Header would stop processing the input and this made it possible to detect that the headers were not fully correct. Of course this lead to the bug of missing headers. After the patch the valid headers are added (which is good) but there is no indication that some of the content was bogus.. The docs of the module does mention: "Mail::Header does not always follow the RFCs strict enough, ..." So someone using it to check that a message follows the RFCs would already be missing some cases I guess.. I suppose extra code could be added to set a particular flag and/or an extra method to check the value of this flag.. Not sure how good/clean that would be.. b) using Mail::Header on the full mail message When someone uses Mail::Header on the full email message (and not just on the headers) then it would result in a different behaviour.. Consider the code: #!/usr/bin/perl use strict; use warnings; use Mail::Header; use File::Temp qw# tempfile #; my $msg = <<EOF; Subject: foo From: <bar\@bar.bar> Content-Type: text/plain This is the mail body Foo: bar baz EOF my ($fh_out, $filename) = tempfile(); print $fh_out $msg; close $fh_out; open my $fh_in, "<", $filename or die "Can't open $filename: $!"; my @headers = split m/\n/, $msg; my $obj = Mail::Header->new(); $obj->extract(\@headers); print "Extract method (headers):\n"; print "-------------------------\n"; print $obj->as_string, "\n"; print "\n"; print "Extract method (body):\n"; print "----------------------\n"; print join("\n", @headers, ""); print "\n"; print "\n"; print "Read method (headers):\n"; print "----------------------\n"; my $obj2 = Mail::Header->new($fh_in); print $obj2->as_string, "\n"; my $body = do { local $/; <$fh_in> }; $body = "" if not defined $body; print "Read method (body):\n"; print "-------------------\n"; print $body; __END__ Before the patch this would output: Extract method (headers): ------------------------- Subject: foo From: <bar@bar.bar> Content-Type: text/plain Extract method (body): ---------------------- This is the mail body Foo: bar baz Read method (headers): ---------------------- Subject: foo From: <bar@bar.bar> Content-Type: text/plain Read method (body): ------------------- This is the mail body Foo: bar baz After the patch the output would be: Extract method (headers): ------------------------- Subject: foo From: <bar@bar.bar> Content-Type: text/plain Foo: bar Extract method (body): ---------------------- Read method (headers): ---------------------- Subject: foo From: <bar@bar.bar> Content-Type: text/plain Foo: bar Read method (body): ------------------- So for someone (ab)using Mail::Header in that way the patch may break their code... Of course their code is already broken in case there are invalid headers What I do not know: * is there anyone that (ab)uses Mail::Header in such way? * is this behaviour that you want to support/maintain/recommend? * ... A possible 'fix' for it would be to stop at and empty line.. i.e. for the extract method: $line !~ /\A\Z/o or last; $line =~ /^($FIELD_NAME|From )/o or next; my $tag = $1; and for the read method: defined $ln or last; $ln !~ /\A\Z/o or last; $ln =~ /^($FIELD_NAME|From )/o or next; i.e.: * stop on an empty line * skip invalid headers
MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Checked: Checked
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Content-Type: multipart/mixed; boundary="sm4nu43k4a2Rpi4c"
X-Spam-Score: -6.089
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=mark [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 2BC2E2403D9 for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Fri, 15 Apr 2016 03:59:47 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMRQ1OAvezFh for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Fri, 15 Apr 2016 03:59:44 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id E1DEC2400B0 for <bug-MailTools [...] rt.cpan.org>; Fri, 15 Apr 2016 03:59:43 -0400 (EDT)
Received: (qmail 22660 invoked by alias); 15 Apr 2016 07:59:42 -0000
Received: from smtpq6.tb.mail.iss.as9143.net (HELO smtpq6.tb.mail.iss.as9143.net) (212.54.42.169) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Fri, 15 Apr 2016 00:59:39 -0700
Received: from [212.54.42.117] (helo=lsmtp3.tb.mail.iss.as9143.net) by smtpq6.tb.mail.iss.as9143.net with esmtp (Exim 4.82) (envelope-from <mark [...] overmeer.net>) id 1aqyf7-0006TG-W8 for bug-MailTools [...] rt.cpan.org; Fri, 15 Apr 2016 09:59:33 +0200
Received: from dhcp-089-099-148-229.chello.nl ([89.99.148.229] helo=moon.overmeer.net) by lsmtp3.tb.mail.iss.as9143.net with esmtp (Exim 4.82) (envelope-from <mark [...] overmeer.net>) id 1aqyf7-0003mw-Qm for bug-MailTools [...] rt.cpan.org; Fri, 15 Apr 2016 09:59:33 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id 1360F10C2F85 for <bug-MailTools [...] rt.cpan.org>; Fri, 15 Apr 2016 09:59:33 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id F2B1B10C2F7D for <bug-MailTools [...] rt.cpan.org>; Fri, 15 Apr 2016 09:59:32 +0200 (CEST)
Delivered-To: cpan-bug+MailTools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=X5q/u39ACb8YmmxieghmXprb5vQ=; b=b1K8gUh 8dzntp1zPrm7AyeSM+E9fmK1yjOrnwbM6QJekoo8WK/ru566VnxsnO/qS8Q5upVO 2TaChETOSdY43tXYxbaPQ93g9AC3CQ1YEbRN4EfvoVnmjAeClczWYJ3JG7BwA4z0 SAhiXkTikRh/janay/72XcsNONZ19bv69uc0=
X-Spam-Check-BY: la.mx.develooper.com
Date: Fri, 15 Apr 2016 09:59:32 +0200
X-Old-Spam-Flag: No
X-Spam-Level:
X-Ziggo-Spam-Status: No
To: "cpan [...] perl.wizbit.be via RT" <bug-MailTools [...] rt.cpan.org>
In-Reply-To: <rt-4.0.18-20649-1459971581-1491.113464-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-6.089 tagged_above=-99.9 required=10 tests=[AWL=0.611, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_OUR_RT=-4, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Content-Disposition: inline
X-Ziggo-Spamscore: 0.0
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org> <20160330231001.GD20687 [...] moon.overmeer.net> <rt-4.0.18-6373-1459379420-2.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-2075-1459777259-1441.113464-5-0 [...] rt.cpan.org> <20160405144127.GM18315 [...] moon.overmeer.net> <rt-4.0.18-14467-1459867367-585.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-20649-1459971581-1491.113464-5-0 [...] rt.cpan.org>
X-Ziggo-Spamreport: CMAE Analysis: v=2.1 cv=fvshHwMf c=1 sm=0 tr=0 a=eNcD7ojaAAAA:8 a=xqWC_Br6kY4A:10 a=kziv93cY1bsA:10 a=SNGdGZsoAAAA:8 a=blJjvDzyRAofLS_kY60A:9 a=CjuIK1q_8ugA:10 a=IYX7YI2ip6gA:10 a=GowUVVhCehQCkYccpEwA:9 a=49ladYHvHUoA:10 xcat=Undefined/Undefined none
Message-ID: <20160415075932.GR1565 [...] moon.overmeer.net>
X-Ziggo-Spambar: /
User-Agent: Mutt/1.5.23 (2014-03-12)
Return-Path: <mark [...] overmeer.net>
Domainkey-Signature: a=rsa-sha1; c=nofws; d=overmeer.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=home; b=FKaqqrklCVqiLsXlVnEb+oDeUZYntq4Nm M0rTMHSNrIeNIelo5RV8VcsO1Fn39jNvrrRdyJH+YdrD4Y9D4mvUiQGhqAcTzB0K KVdmGmWuMHLYTzpAGxxuVRoEvs4eMwI6fCv/nAmsbyf52kI9BCt7uDuG7bKw2SdX BgOEt03ThQ=
X-RT-Mail-Extension: mailtools
X-Original-To: cpan-bug+MailTools [...] hipster.bestpractical.com
X-Old-Spam-Status: No
From: Mark Overmeer <mark [...] overmeer.net>
RT-Message-ID: <rt-4.0.18-3778-1460707188-972.113464-0-0 [...] rt.cpan.org>
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Disposition: inline
X-RT-Original-Encoding: utf-8
Content-Length: 1753
Download (untitled) / with headers
text/plain 1.7k
* cpan@perl.wizbit.be via RT (bug-MailTools@rt.cpan.org) [160406 19:39]: Show quoted text
> Queue: MailTools > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=113464 >
Show quoted text
> There might be two extra things that need to be considered: > a) (ab)using Mail::Header to detect incorrect MIME headers
... Show quoted text
> The docs of the module does mention: > "Mail::Header does not always follow the RFCs strict enough, ..."
There is are a few reasons that there are multiple implementations for email processors. One of the reasons is that not everyone needs the same features. As I explained before: MailTools dates from pre-MIME. That's very old. In the time that attachements were rare and spam volume low. It is only kept because many book show examples with this module You could, for instance, go for the very powerful MailBox suite. That module is maintained to grow and if it does not already fulfil your needs, it probably will get extended. Show quoted text
> b) using Mail::Header on the full mail message
Show quoted text
> So for someone (ab)using Mail::Header in that way the patch may break > their code... > > What I do not know: > * is there anyone that (ab)uses Mail::Header in such way? > * is this behaviour that you want to support/maintain/recommend? > * ...
I think that everyone is using the code that way. It was a serious bug in our change. I am very glad we did not release it yet ;-) I am planning to release the attached version. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Content-Type: application/x-tar-gz
Content-Disposition: attachment; filename="MailTools-2.15.tar.gz"
Content-Transfer-Encoding: base64
Content-Length: 55143
Download MailTools-2.15.tar.gz
application/x-tar-gz 53.8k

Message body not shown because it is not plain text.

MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-3778-1460707188-972.113464-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: API
References: <RT-Ticket-113464 [...] rt.cpan.org> <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org> <20160330231001.GD20687 [...] moon.overmeer.net> <rt-4.0.18-6373-1459379420-2.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-2075-1459777259-1441.113464-5-0 [...] rt.cpan.org> <20160405144127.GM18315 [...] moon.overmeer.net> <rt-4.0.18-14467-1459867367-585.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-20649-1459971581-1491.113464-5-0 [...] rt.cpan.org> <20160415075932.GR1565 [...] moon.overmeer.net> <rt-4.0.18-3778-1460707188-972.113464-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-23891-1460838891-1688.0-0-0 [...] rt.cpan.org>
Message-ID: <rt-4.0.18-23891-1460838891-1465.113464-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
From: cpan [...] perl.wizbit.be
Content-Length: 345
Download (untitled) / with headers
text/plain 345b
Show quoted text
> I think that everyone is using the code that way. It was a serious > bug > in our change. I am very glad we did not release it yet ;-) > I am planning to release the attached version.
I've tested the attached version with my test cases (I'm sure you did the same but can never hurt to double check) and it does produce the expected output.
MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
X-Spam-Score: -4.109
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] overmeer.net
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=solutions [...] overmeer.net
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 48E972402D0 for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Mon, 18 Apr 2016 08:11:57 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z1SHfaUgv2c0 for <cpan-bug+MailTools [...] hipster.bestpractical.com>; Mon, 18 Apr 2016 08:11:55 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 26715240022 for <bug-MailTools [...] rt.cpan.org>; Mon, 18 Apr 2016 08:11:54 -0400 (EDT)
Received: (qmail 13428 invoked by alias); 18 Apr 2016 12:11:54 -0000
Received: from smtpq2.tb.mail.iss.as9143.net (HELO smtpq2.tb.mail.iss.as9143.net) (212.54.42.165) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Mon, 18 Apr 2016 05:11:49 -0700
Received: from [212.54.42.117] (helo=lsmtp3.tb.mail.iss.as9143.net) by smtpq2.tb.mail.iss.as9143.net with esmtp (Exim 4.82) (envelope-from <solutions [...] overmeer.net>) id 1as81o-0007fD-N8 for bug-MailTools [...] rt.cpan.org; Mon, 18 Apr 2016 14:11:44 +0200
Received: from dhcp-089-099-148-229.chello.nl ([89.99.148.229] helo=moon.overmeer.net) by lsmtp3.tb.mail.iss.as9143.net with esmtp (Exim 4.82) (envelope-from <solutions [...] overmeer.net>) id 1as81o-0005sH-Ka for bug-MailTools [...] rt.cpan.org; Mon, 18 Apr 2016 14:11:44 +0200
Received: from moon.overmeer.net (localhost [127.0.0.1]) by moon.overmeer.net (Postfix) with ESMTP id 6FBD11102195 for <bug-MailTools [...] rt.cpan.org>; Mon, 18 Apr 2016 14:11:44 +0200 (CEST)
Received: from moon.overmeer.net (localhost [IPv6:::1]) by moon.overmeer.net (Postfix) with SMTP id 639FA1102193 for <bug-MailTools [...] rt.cpan.org>; Mon, 18 Apr 2016 14:11:44 +0200 (CEST)
Delivered-To: cpan-bug+MailTools [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #113464] Mail::Header incorrect decoding
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=overmeer.net; h=date:from :to:subject:message-id:references:mime-version:content-type :in-reply-to; s=home; bh=7N+5VhaGGmdnOQyffjm4IIDpl/A=; b=h2wIwGh ZGZHODgE+3yQtJwjT58MloLTchs1CjuJRJDNwRQW5FymrAmaEiyWNqEBu3vrhp0B zDJqn2sG3KwUdl3t71PiQbS3vuBKpGtpCfIGljevvJd4JUk4yC42EsKQv2Ux2bpI h8PVNTJrBp66IcA/vWUGMb3jivEXv9eYmt2w=
X-Spam-Check-BY: la.mx.develooper.com
Date: Mon, 18 Apr 2016 14:11:44 +0200
X-Old-Spam-Flag: No
X-Spam-Level:
X-Ziggo-Spam-Status: No
To: "cpan [...] perl.wizbit.be via RT" <bug-MailTools [...] rt.cpan.org>
In-Reply-To: <rt-4.0.18-23891-1460838891-1678.113464-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-4.109 tagged_above=-99.9 required=10 tests=[AWL=-1.409, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Content-Disposition: inline
X-Ziggo-Spamscore: 0.0
X-RT-Interface: API
References: <8D7AF167-C573-4AEC-84D5-B1B6C7AA27AB [...] topdog.za.net> <rt-4.0.18-5398-1459375367-661.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-9890-1459378943-56.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-2075-1459777259-1441.113464-5-0 [...] rt.cpan.org> <20160405144127.GM18315 [...] moon.overmeer.net> <rt-4.0.18-14467-1459867367-585.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-20649-1459971581-1491.113464-5-0 [...] rt.cpan.org> <20160415075932.GR1565 [...] moon.overmeer.net> <rt-4.0.18-3778-1460707188-972.113464-5-0 [...] rt.cpan.org> <rt-4.0.18-23891-1460838891-1678.113464-5-0 [...] rt.cpan.org>
X-Ziggo-Spamreport: CMAE Analysis: v=2.1 cv=fvshHwMf c=1 sm=0 tr=0 a=eNcD7ojaAAAA:8 a=kj9zAlcOel0A:10 a=xqWC_Br6kY4A:10 a=kziv93cY1bsA:10 a=SNGdGZsoAAAA:8 a=9GlnLM2dOGz_H8bKw5MA:9 a=CjuIK1q_8ugA:10 a=IYX7YI2ip6gA:10 xcat=Undefined/Undefined none
Message-ID: <20160418121144.GC2385 [...] moon.overmeer.net>
X-Ziggo-Spambar: /
User-Agent: Mutt/1.5.23 (2014-03-12)
Return-Path: <solutions [...] overmeer.net>
Domainkey-Signature: a=rsa-sha1; c=nofws; d=overmeer.net; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=home; b=Z5oKPh3KzWC2b50dETyBha/pT1ECdztO3 CsOcEG724Yd5p0lJga+nGFeF6wWIDahrE0EmgalfZp8U7b2phURCDYpBarcGbLze O39LiUd5Ytg4U4aCyeA0lapOOi8699QhCgCR4x4bj0LoGgrV3Z3MloM2gC4Ul+GJ cAmUull2nY=
X-RT-Mail-Extension: mailtools
X-Original-To: cpan-bug+MailTools [...] hipster.bestpractical.com
X-Old-Spam-Status: No
From: Mark Overmeer <solutions [...] overmeer.net>
RT-Message-ID: <rt-4.0.18-1015-1460981518-450.113464-0-0 [...] rt.cpan.org>
Content-Length: 876
Download (untitled) / with headers
text/plain 876b
* cpan@perl.wizbit.be via RT (bug-MailTools@rt.cpan.org) [160416 20:35]: Show quoted text
> Queue: MailTools > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=113464 > >
> > I think that everyone is using the code that way. It was a serious > > bug > > in our change. I am very glad we did not release it yet ;-) > > I am planning to release the attached version.
> > I've tested the attached version with my test cases (I'm sure you did the same but can never hurt to double check) and it does produce the expected output. >
Release as 2.15 -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
MIME-Version: 1.0
In-Reply-To: <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <4240C9DF-5300-40AF-B86F-107A531B55F1 [...] topdog.za.net>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-17274-1510143232-1435.113464-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 46
This change to 2.15 broke many applications...


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.