Feature/epilogue (#48)

Support epilogue parsing Epilogues are now used by spammers or attackers to insert malicious content into emails, this content comes in the form of other mime parts, these come right after the closing boundary of an email.
jhillyerd · Jan 2, 2018 · ffbfc16 · ffbfc16
1 parent bdc4ef5
commit ffbfc16
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/envelope_test.go b/envelope_test.go
@@ -1020,3 +1020,17 @@ func TestBinaryOnlyBodyHeaders(t *testing.T) {
 		}
 	}
 }
+
+func TestEnvelopeEpilogue(t *testing.T) {
+	msg := openTestData("mail", "epilogue-sample.raw")
+	e, err := ReadEnvelope(msg)
+	if err != nil {
+		t.Fatal("Failed to parse MIME:", err)
+	}
+
+	got := string(e.Root.Epilogue)
+	want := "Potentially malicious content\n"
+	if got != want {
+		t.Errorf("Epilogue == %q, want: %q", got, want)
+	}
+}
diff --git a/part.go b/part.go
@@ -27,6 +27,7 @@ type Part struct {
 	Errors      []Error              // Errors encountered while parsing this part
 	PartID      string               // The ID representing the part's exact position within the MIME Part Tree
 	Utf8Reader  io.Reader            // The decoded content converted to UTF-8
+	Epilogue    []byte               // Content following the closing boundary marker
 
 	boundary      string    // Boundary marker used within this part
 	rawReader     io.Reader // The raw Part content, no decoding or charset conversion
@@ -315,6 +316,13 @@ func parseParts(parent *Part, reader *bufio.Reader) error {
 		}
 	}
 
+	// Store any content following the closing boundary marker into the epilogue
+	epilogue := new(bytes.Buffer)
+	if _, err := io.Copy(epilogue, reader); err != nil {
+		return err
+	}
+	parent.Epilogue = epilogue.Bytes()
+
 	// If a Part is "multipart/" Content-Type, it will have .0 appended to its PartID
 	// i.e. it is the root of its MIME Part subtree
 	if !firstRecursion {

diff --git a/testdata/mail/epilogue-sample.raw b/testdata/mail/epilogue-sample.raw
@@ -0,0 +1,22 @@
+From: Pedro Mendez <pem@open.ch>
+Subject: Epilogue
+Date: Thu, 02 Nov 2017 22:48:39 -0700
+Message-Id: <07B7061D-2676-487E-942E-C341CE4D13DC@open.ch>
+To: pemmemo8@gmail.com
+Mime-Version: 1.0
+Content-Type: multipart/mixed; boundary="Enmime-Test-100"
+
+--Enmime-Test-100
+Content-Transfer-Encoding: 7bit
+Content-Type: text/plain; charset=us-ascii
+
+A text section
+--Enmime-Test-100
+Content-Transfer-Encoding: base64
+Content-Type: text/html; name="test.html"
+Content-Disposition: attachment; filename=test.html
+
+PGh0bWw+Cg==
+
+--Enmime-Test-100-->
+Potentially malicious content