go-message icon indicating copy to clipboard operation
go-message copied to clipboard

Published 20 hours ago verified publisher icon emersion

Header decoding issue.

Open akissa opened this issue 4 years ago • 6 comments

go-message seems to suffer an issue which was previously discovered in perl Mail::Header module. https://rt.cpan.org/Public/Bug/Display.html?id=113464

The issue involves crafted messages that are usually used to transmit malware bypassing content scanners.

The header looks like this

--Apple-Mail=_13B14614-BE73-1755-BFC6-C42D9D44027D
Content-Disposition: inline; filename="04EBD_xxxx.xxxx_A546BB.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;
name="04EBD_xxxx.xxxx_A546BB.zip"
Content-Transfer-Encoding: base64

go-message fails to parse this returning unexpected EOF

akissa avatar Feb 16 '21 08:02 akissa

@emersion Here is my attempt at getting a more tolerant reader, any issues you see with it https://github.com/emersion/go-message/compare/master...baruwa-enterprise:add-tolerant-reader?expand=1

It adds a new reader leaving the existing one intact to prevent breakage to existing users.

akissa avatar Feb 17 '21 15:02 akissa

The error message could be improved, but I don't think it's desirable to have this workaround upstream.

emersion avatar Feb 17 '21 15:02 emersion

@emersion This is not simply fixing an error message. This fixes messages that otherwise would not be parsed at all.

akissa avatar Feb 17 '21 15:02 akissa

Yes. I'd rather not parse these broken messages.

emersion avatar Feb 17 '21 15:02 emersion

If the message cannot be parsed, better give the caller a detailed error message for easy understanding. Otherwise it’s pretty confusing and may cause some more time to figure it out.

iredmail avatar Feb 17 '21 15:02 iredmail

Yeah. I agree the error message should be more descriptive.

emersion avatar Feb 17 '21 15:02 emersion