-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/mail: comments in display names are incorrectly handled #65083
Comments
Change https://go.dev/cl/555596 mentions this issue: |
One of the attack vectors is address spoofing
Output:
|
Fixes a couple of misalignments with RFC 5322 which introduce significant diffs between (mostly) conformant parsers. This change reverts the changes made in CL50911, which allowed certain special RFC 5322 characters to appear unquoted in the "phrase" syntax. It is unclear why this change was made in the first place, and created a divergence from comformant parsers. In particular this resulted in treating comments in display names incorrectly. Additionally properly handle trailing malformed comments in the group syntax. Fixes golang#65083 Change-Id: I00dddc044c6ae3381154e43236632604c390f672 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@gopherbot please open backport issues, this is a PUBLIC track security fix |
Backport issue(s) opened: #65848 (for 1.21), #65849 (for 1.22). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/566195 mentions this issue: |
Change https://go.dev/cl/566215 mentions this issue: |
Assigned this CVE-2024-24784. |
…in phrase and obs-phrase Fixes a couple of misalignments with RFC 5322 which introduce significant diffs between (mostly) conformant parsers. This change reverts the changes made in CL50911, which allowed certain special RFC 5322 characters to appear unquoted in the "phrase" syntax. It is unclear why this change was made in the first place, and created a divergence from comformant parsers. In particular this resulted in treating comments in display names incorrectly. Additionally properly handle trailing malformed comments in the group syntax. For #65083 Fixed #65849 Change-Id: I00dddc044c6ae3381154e43236632604c390f672 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/566215 Reviewed-by: Carlos Amedee <carlos@golang.org>
…in phrase and obs-phrase Fixes a couple of misalignments with RFC 5322 which introduce significant diffs between (mostly) conformant parsers. This change reverts the changes made in CL50911, which allowed certain special RFC 5322 characters to appear unquoted in the "phrase" syntax. It is unclear why this change was made in the first place, and created a divergence from comformant parsers. In particular this resulted in treating comments in display names incorrectly. Additionally properly handle trailing malformed comments in the group syntax. For #65083 Fixes #65848 Change-Id: I00dddc044c6ae3381154e43236632604c390f672 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/566195 Reviewed-by: Carlos Amedee <carlos@golang.org>
…in phrase and obs-phrase Fixes a couple of misalignments with RFC 5322 which introduce significant diffs between (mostly) conformant parsers. This change reverts the changes made in CL50911, which allowed certain special RFC 5322 characters to appear unquoted in the "phrase" syntax. It is unclear why this change was made in the first place, and created a divergence from comformant parsers. In particular this resulted in treating comments in display names incorrectly. Additionally properly handle trailing malformed comments in the group syntax. For golang#65083 Fixed golang#65849 Change-Id: I00dddc044c6ae3381154e43236632604c390f672 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/566215 Reviewed-by: Carlos Amedee <carlos@golang.org>
…in phrase and obs-phrase Fixes a couple of misalignments with RFC 5322 which introduce significant diffs between (mostly) conformant parsers. This change reverts the changes made in CL50911, which allowed certain special RFC 5322 characters to appear unquoted in the "phrase" syntax. It is unclear why this change was made in the first place, and created a divergence from comformant parsers. In particular this resulted in treating comments in display names incorrectly. Additionally properly handle trailing malformed comments in the group syntax. For golang#65083 Fixed golang#65849 Change-Id: I00dddc044c6ae3381154e43236632604c390f672 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/566215 Reviewed-by: Carlos Amedee <carlos@golang.org>
In #21018, it was noted that parentheses in display names were rejected, which
resulted in a confusing error.
The solution was to introduce a behavior which diverged relatively significantly
from RFC 5322 in CL50911, allowing special reserved characters to appear in the
"atom" syntax, where they are disallowed by the specification.
One of the consequences of this change was that we introduced non-compliant
handling of comments (text within parentheses) within display names. Parsing
Hello (comment) there <hello@example.com>
should result in a display name ofHello there
, but because we (a) allow special characters (in this case parentheses)in the "atom" syntax and (b) don't properly handle comments in display names, we
parse a name of
Hello (comment) there
which is clearly non-conformant.I believe we should revert CL50911, rather than just removing parentheses from
the allowed set of specials, since it's unclear why this was done to begin with,
and there is no evidence this is useful or needed.
We should additionally support the obs-phrase syntax in dispaly names, which
permit comments, and properly handle them.
Becuase this introduces a parser misalignment, which could plausibly result in
different trust decisions being made by programs using different parsers, we're
considering this a PUBLIC track security issue (per the Go Security Policy).
Thanks to Juho Nurminen of Mattermost for reporting this issue, and @Slonser for
also independently reporting this issue.
The text was updated successfully, but these errors were encountered: