[Tickets #13041] Re: Posibillity to diabled the Received from ... (Horde Framework) with HTTP header line injection to the e-Mail header lines.

noreply at bugs.horde.org noreply at bugs.horde.org
Tue Mar 18 19:47:17 UTC 2014


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/13041
------------------------------------------------------------------------------
  Ticket             | 13041
  Updated By         | Michael Slusarz <slusarz at horde.org>
  Summary            | Posibillity to diabled the Received from ... (Horde
                     | Framework) with HTTP header line injection to the
                     | e-Mail header lines.
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Enhancement
-State              | New
+State              | Rejected
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Michael Slusarz <slusarz at horde.org> (2014-03-18 13:47) wrote:

> is there a possibility, or could this be realized, to diabled the  
> Received from ... (Horde Framework) with HTTP ... header line  
> injection to the e-Mail header lines.

This is a terrible idea.  It is explicitly prohibited against RFCs.

> This could be good for security reason, because sometime I use a  
> browser at a place, and I don't want to get lines like the following  
> in my e-Mail-Header:

If you are worried about privacy, then don't send e-mail messages.

Otherwise, if you remove those headers, it becomes a security issue  
from the *recipient's* side, since they can no longer effectively  
track the message in the case of abuse.  So these headers are for the  
benefit of the recipient, not the sender.  You start removing tracking  
headers and you become at risk of being put on various RBLs, for  
example.





More information about the bugs mailing list