[Tickets #12062] Re: Mime parser fails to parse multipart message

noreply at bugs.horde.org noreply at bugs.horde.org
Tue Mar 5 04:13:37 UTC 2013


Ticket URL: http://bugs.horde.org/ticket/12062
  Ticket             | 12062
  Updated By         | Michael Slusarz <slusarz at horde.org>
  Summary            | Mime parser fails to parse multipart message
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
-State              | Unconfirmed
+State              | Not A Bug
  Priority           | 1. Low
  Milestone          |
  Patch              | 1
  Owners             |

Michael Slusarz <slusarz at horde.org> (2013-03-04 21:13) wrote:

> So this "antivirus" solution you mentioned is pretty useless
> in the real world if it can be fooled by a missing MIME-Version header.

How do you come to that conclusion?  Because *other* products don't  
treat it right?  That has never been a proxy for analyzing the details  
of the issue.

And FWIW: I don't think anybody is regarding Thunderbird and/or  
Outlook as paragons of security.

> Also the perl-MIME-tools 5.427 used by the popular amavisd-new email  
> content scanner (antivirus / antispam tool) also checks for  
> "multipart" in the Content-Type header only.
> So that's already quite a big security "breach" ;)

We don't control those tools.  That doesn't mean that what *they* do  
is correct.

> -> I don't think it's a security issue since the popular MUAs tested  
> above ignore it.

This absolutely does NOT make it not a security issue.

Short story: if someone wants to ignore the MIME-Version header, it is  
at their own peril.  But it absolutely, positively can NOT be the  
default of any MIME parsing library.  That is irresponsible coding.

Closing this ticket because we already provide an OPTIONAL way of  
parsing messages without checking for MIME-Version headers  

More information about the bugs mailing list