GNU bug report logs - #51733
27.1; Detect impossible email addresses better

Previous Next

Packages: gnus, emacs;

Reported by: 積丹尼 Dan Jacobson <jidanni <at> jidanni.org>

Date: Wed, 10 Nov 2021 00:29:01 UTC

Severity: wishlist

Found in version 27.1

Fixed in version 29.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #329 received at 51733 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> linux-m68k.org>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 51733 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>
Subject: Re: bug#51733: 27.1; Detect impossible email addresses better
Date: Wed, 19 Jan 2022 15:39:07 +0100

On Jan 19 2022, Lars Ingebrigtsen wrote:

> Andreas Schwab <schwab <at> linux-m68k.org> writes:
>
>> On Jan 19 2022, Lars Ingebrigtsen wrote:
>>
>>> Consider somebody sending you an email containing @", characters in the
>>> name part, and then you decode the address, and then run the parsing
>>> function.  The attacker would then have a wide attack surface to trick
>>> the checker into checking the wrong parts of the address.
>>
>> Isn't that the whole point of textsec?
>
> It's perfectly valid to have a
>
> From: "larsi <at> example.com" <larsi <at> other.com>
>
> address.  It's unambigious, and the responses will go to
> larsi <at> other.com.

What's your point?

-- 
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."
This bug report was last modified 3 years and 124 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.