Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

From Address Not Being Parsed Correctly #8164

Closed
neelchauhan opened this issue Aug 10, 2021 · 3 comments
Closed

From Address Not Being Parsed Correctly #8164

neelchauhan opened this issue Aug 10, 2021 · 3 comments
Labels
C: Mail view C: MIME parsing enhancement
Milestone
1.5.0

Comments

@neelchauhan
Copy link

I use Roundcube on a self-hosted personal email server and subscribe to the FreeBSD.org mailing lists, since I'm a FreeBSD developer/committer.

Often times, spam comes through FreeBSD mailing lists and in turn gets forwarded to my server.

One of the spam emails caught my eye, it escaped the "From" address header HTML parsing: "freebsd.org"<noreply@freebsd.org. It wasn't even a highlighted link, which is abnormal.

While this may or may not be innocent, it could be exploited, say if an organization requiring high security uses Roundcube and spam comes in exploiting this address header bug.

I don't know how other email systems do it.

Screenshot

Raw Email (incl headers): Raw Email in (formatted as TXT but actually an EMF)
@neelchauhan
Copy link
Author

Also sorry if I dumped the titles of my latest emails. I don't know if I can delete it.

@alecpl
Copy link
Member

alecpl commented Aug 10, 2021
edited
Loading

I don't see how it could be exploited. Thunderbird displays it as "freebsd.org" <noreply@freebsd.org>, so I guess we could do the same for this specific case. But anyway, I think it's all right to display the input as-is if it cannot be parsed/is invalid.

@alecpl alecpl added this to the later milestone Aug 10, 2021
alecpl added a commit that referenced this issue Aug 15, 2021
@alecpl
Fix so addr-spec with missing closing angle bracket can be parsed (#8164
b60e618 
)
@alecpl alecpl modified the milestones: later, 1.5.0 Aug 15, 2021
alecpl added a commit that referenced this issue Aug 15, 2021
@alecpl
Fix so addr-spec with missing closing angle bracket can be parsed (#8164
1660fdb 
)
@alecpl
Copy link
Member

alecpl commented Aug 15, 2021

Fixed.

@alecpl alecpl closed this as completed Aug 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Mail view C: MIME parsing enhancement
Projects
None yet
Milestone
1.5.0
Development

No branches or pull requests
2 participants
@alecpl @neelchauhan