Header validation tripping on known safe emails due to References header

Question

Header validation tripping on known safe emails due to References header

garrettlr opened this issue 6 years ago · 7 comments

I've had this come up a few times now and I'm not sure exactly why or how to avoid it.

for a recent example see below:

<DOKOGW56MP_5bbd3cc7769cf_c3c93fc52d8cb9781275fb_sprut@zendesk.com>

for background, I've used simple-java-mail to power an intranet site which only replies to emails we've received from third parties we work with, primarily to centralize identity, so header validation is of minor concern to us.

is it possible to just fail quietly?

thanks!

Answer 1 · 2018-10-11T06:10:00.000Z

Hi @garrettlr, can you provide a stacktrace or else which validation fails in the code? Doesn't look invalid to me at first glance.

Bug or not, it might be a useful addition to be able to treat injection attacks as warning by configuration (assuming your report is about a failed injection detection).

Answer 2 · 2018-10-27T13:38:14.000Z

@garrettlr, I can't proceed with this until you provide some more info. I would like to understand better what is going on here and preferably be able to reproduce it on my own laptop.

Answer 3 · 2019-02-27T14:01:57.000Z

Hi @bbottema, maybe I can help you with some info.
I've stumbled on this error trying to reply to an valid e-mail:

org.simplejavamail.mailer.MailerException: Suspected of injection attack, field: email.header.References with suspicious value: <aaabbbccc@xxxyyyzzz.eurprd07.prod.outlook.com> <dddeeefff@xxxyyyzzz.eurprd07.prod.outlook.com> at org.simplejavamail.mailer.Mailer.scanForInjectionAttack(Mailer.java:337) ~[simple-java-mail-5.1.3.jar!/:na] at org.simplejavamail.mailer.Mailer.validate(Mailer.java:305) ~[simple-java-mail-5.1.3.jar!/:na] at org.simplejavamail.mailer.Mailer.sendMail(Mailer.java:238) ~[simple-java-mail-5.1.3.jar!/:na] at org.simplejavamail.mailer.Mailer.sendMail(Mailer.java:230) ~[simple-java-mail-5.1.3.jar!/:na]
The References header contains 2 values separated by '\r\n'.

Library version is 5.1.3

Hope this helps

Answer 4 · 2019-03-09T19:27:55.000Z

@madalinl, \r\n characters are attack vectors for header injections (CRLF Injection) and is exactly what triggers the exception (added by #88). Can you explain a little bit more about why this would be a valid use case?

Answer 5 · 2019-05-15T01:28:56.000Z

This happened to me when using the EmailBuilder.replyingTo() construct on a message that already contains a References header. JavaMail builds a new References header with both values, which is "folded", and thus probably contains a newline.

Answer 6 · 2019-05-15T04:06:05.000Z

Thanks @ScottPeterJohnson, I'll see if I can reproduce the bug.

Answer 7 · 2019-05-22T18:54:34.000Z

Fix released in v5.1.7. Please verify!