-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in validHeaderFieldByte(): characters disallowed in http header field are allowed in email header field #282
Comments
Reported to upstream too: golang/go#58862 |
hi @jhillyerd Any thoughts? |
My thought is this is a bummer, I was planning on releasing enmime 1.0 next week. 😭 This isn't the first time something like this has happened, as you noted, Go is only focused on the HTTP use-case. It looks like the team put your issue into the backlog, so I think we will need to maintain an internal fork of the header parsing to insulate enmime from this and future changes. Hopefully we can maintain compatibility with textproto.MIMEHeader, if not, now is the time to break it. I'll look into it this week, but for now I'd recommend sticking with Go 1.19 |
Do you accept an internal "net/textproto" package with this issue fixed? I already worked out a patch and ready to send for your review. |
Sure, send a PR! |
hi @jhillyerd PR is ready, please help review: #283 |
There's some issue left: all methods of |
Dear @jhillyerd
There's a critical bug in
validHeaderFieldByte()
(and more places).validHeaderFieldByte()
checks valid characters for http header, not for email header field:https://github.com/jhillyerd/enmime/blob/master/header.go#L257
According to RFC 5322 "Internet Message Format", section "2.2 Header fields":
Here's full list of printable US-ASCII characters:
https://www.ascii-code.com/characters/printable-characters
For example, characters
/
,*
,[
,]
are allowed in email header field, but it won't pass currentvalidHeaderFieldByte()
. This causes parse error like this:I believe there're more bugs caused by treating email header field as http header field.
The text was updated successfully, but these errors were encountered: