Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JavaMail allows injection of unwanted headers #222

Closed
glassfishrobot opened this issue Jul 6, 2016 · 5 comments
Closed

JavaMail allows injection of unwanted headers #222

glassfishrobot opened this issue Jul 6, 2016 · 5 comments
Assignees
@bshannon
Labels
Component: internet normal Priority: P5

Comments

@glassfishrobot
Copy link

Applications that do not provide sufficient validation on some fields used to compose emails may be vulnerable to unwanted header injection when sending emails.

In particular, when an application allows the user to specify a "from" name and that name has a newline character embeded, the raw email stream arriving at the destination may see the line following the newline character as a header within the email stream.

For example:

MimeMessage msg = new MimeMessage(someSession);

InternetAddress fromAddress = new InternetAddress("My Name \nX-SomeHeader: somedata", "myrealaddress@foo.com");

msg.setFrom(fromAddress);

msg.send();

When Javamail emits the "from" header into the stream, it will look like this:

From: "My Name
X-SomeHeader: somedata" myrealaddress@foo.com

This will give the receiving system a bogus "From" header as well as an injected "X-SomeHeader" header.

Depending on how the receiving system behaves and the injected header itself, it may be possible for an attacker to cause unwanted or unauthorized behavior on the receiving system.

Affected Versions

1.5.5

Environment

PC
Linux
@glassfishrobot
Copy link
Author

@glassfishrobot Commented
Reported by rstevens_sf

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
@bshannon said:
The JavaMail javadocs have always made it clear that applications are responsible
for validating input before passing it to JavaMail API methods. Still, some
developers are confused about this or never read the documentation.

I've enhanced JavaMail for 1.5.6 to ensure that newlines in headers that are
folded (address headers, Subject, Content-Type, Content-Description, ...)
are always followed by whitespace to prevent possible header injection.
Applications that manipulate headers directly will still need to handle this
themselves.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
This issue was imported from Bugzilla JAVAMAIL-7529

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
Marked as fixed on Tuesday, May 2nd 2017, 1:27:00 pm

@glassfishrobot
Copy link
Author

@intrigus-lgtm intrigus-lgtm mentioned this issue Jun 28, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bshannon bshannon

Labels
Component: internet normal Priority: P5
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bshannon @glassfishrobot