Skip to content

Mimeparser uses unprotected Date header #6641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
link2xt opened this issue Mar 11, 2025 · 0 comments · Fixed by #6669
Closed

Mimeparser uses unprotected Date header #6641

link2xt opened this issue Mar 11, 2025 · 0 comments · Fixed by #6669
Assignees
@link2xt
Labels
bug Something is not working

Comments

@link2xt
Copy link
Collaborator

link2xt commented Mar 11, 2025
edited
Loading

We already protect the Date header against modification here:

core/src/mimefactory.rs

Lines 914 to 936 in e5a3eae

} else if is_encrypted {
protected_headers.push(header.clone());
match header_name.as_str() {
"subject" => {
unprotected_headers.push((
"Subject",
mail_builder::headers::raw::Raw::new("[...]").into(),
));
}
"date"
| "in-reply-to"
| "references"
| "auto-submitted"
| "chat-version"
| "autocrypt-setup-message" => {
unprotected_headers.push(header.clone());
}
_ => {
// Other headers are removed from unprotected part.
}
}
} else {

There is an open PR #6649 to protect the Date by replacing it with unix epoch in the outer header.

However, it cannot be merged because mimeparser uses unprotected timestamp for Autocrypt header here:

core/src/mimeparser.rs

Lines 348 to 353 in 7f55613

if let Some(protected_aheader_value) = decrypted_mail
.headers
.get_header_value(HeaderDef::Autocrypt)
{
aheader_value = Some(protected_aheader_value);
}

I also made a minor fix for signed-only messages: #6642
Fix for the Autocrypt issue is at #6669
@link2xt link2xt added the bug Something is not working label Mar 11, 2025
@link2xt link2xt self-assigned this Mar 11, 2025
This was referenced Mar 11, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@link2xt link2xt

Labels
bug Something is not working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use protected Date with protected Autocrypt chatmail/core
1 participant
@link2xt