Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate that go-mail is not vulnerable to email content tampering #151

Closed
wneessen opened this issue Oct 31, 2023 · 1 comment
Closed

Validate that go-mail is not vulnerable to email content tampering #151

wneessen opened this issue Oct 31, 2023 · 1 comment
Assignees
@wneessen
Labels
not-vulnerable

Comments

@wneessen
Copy link
Owner

Is your feature request related to a problem? Please describe.

In the legacy gomail project someone reported a vulnerabilty that allows email content tampering via specially crafted filenames: go-gomail/gomail#190

While I am pretty sure that we should not be vulnerable, since our attachment writer is completely different to gomail's, we need to double check this and, in case of a confirmed vulnerability, fix it accordingly.

Describe the solution you'd like

Properly escaped/encoded filenames in the Content-Disposition and Content-Type headers

Describe alternatives you've considered

No response

Additional context

No response
@wneessen wneessen added the enhancement New feature or request label Oct 31, 2023
@wneessen wneessen self-assigned this Oct 31, 2023
@wneessen
Copy link
Owner Author

Did a test with the provided PoC and can confirm that go-mail is not vulnerable to this.

Date: Tue, 31 Oct 2023 15:04:33 +0100
MIME-Version: 1.0
Message-ID:
 <[email protected]>
Subject: Testmail
User-Agent: go-mail v0.4.0 // https://github.com/wneessen/go-mail
X-Mailer: go-mail v0.4.0 // https://github.com/wneessen/go-mail
From: <[email protected]>
To: <[email protected]>
Content-Type: multipart/mixed;
 boundary=c0fdbde11dbffa4fd9604429e431ccaa67f1e71f9d328fa9e12dcf5b0476

--c0fdbde11dbffa4fd9604429e431ccaa67f1e71f9d328fa9e12dcf5b0476
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8

This is the body
--c0fdbde11dbffa4fd9604429e431ccaa67f1e71f9d328fa9e12dcf5b0476
Content-Disposition: attachment; filename="test.sh\"; dummy=\"a.txt"
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=utf-8; name="test.sh\"; dummy=\"a.txt"

VGhpcyBpcyB0aGUgZmlsZQo=

--c0fdbde11dbffa4fd9604429e431ccaa67f1e71f9d328fa9e12dcf5b0476--

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wneessen wneessen

Labels
not-vulnerable
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wneessen