[Tickets #12062] Re: Mime parser fails to parse multipart message
noreply at bugs.horde.org
noreply at bugs.horde.org
Tue Mar 5 04:13:37 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12062
------------------------------------------------------------------------------
Ticket | 12062
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Mime parser fails to parse multipart message
Queue | Horde Framework Packages
Version | Git master
Type | Bug
-State | Unconfirmed
+State | Not A Bug
Priority | 1. Low
Milestone |
Patch | 1
Owners |
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2013-03-04 21:13) wrote:
> So this "antivirus" solution you mentioned is pretty useless
> in the real world if it can be fooled by a missing MIME-Version header.
How do you come to that conclusion? Because *other* products don't
treat it right? That has never been a proxy for analyzing the details
of the issue.
And FWIW: I don't think anybody is regarding Thunderbird and/or
Outlook as paragons of security.
> Also the perl-MIME-tools 5.427 used by the popular amavisd-new email
> content scanner (antivirus / antispam tool) also checks for
> "multipart" in the Content-Type header only.
> So that's already quite a big security "breach" ;)
We don't control those tools. That doesn't mean that what *they* do
is correct.
> -> I don't think it's a security issue since the popular MUAs tested
> above ignore it.
This absolutely does NOT make it not a security issue.
Short story: if someone wants to ignore the MIME-Version header, it is
at their own peril. But it absolutely, positively can NOT be the
default of any MIME parsing library. That is irresponsible coding.
Closing this ticket because we already provide an OPTIONAL way of
parsing messages without checking for MIME-Version headers
('forcemime').
More information about the bugs
mailing list