6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
11/8/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#12062] Mime parser fails to parse multipart message
*
Your Email Address
*
Spam protection
Enter the letters below:
.__ ._..___._. . [ __ | [__ | | [_./_|_| _|_\__|
Comment
>> So this "antivirus" solution you mentioned is pretty useless >> in the real world if it can be fooled by a missing MIME-Version header. > > How do you come to that conclusion? Because *other* products don't > treat it right? That has never been a proxy for analyzing the > details of the issue. > > And FWIW: I don't think anybody is regarding Thunderbird and/or > Outlook as paragons of security. > >> Also the perl-MIME-tools 5.427 used by the popular amavisd-new email >> content scanner (antivirus / antispam tool) also checks for >> "multipart" in the Content-Type header only. >> So that's already quite a big security "breach" ;) > > We don't control those tools. That doesn't mean that what *they* do > is correct. > >> -> I don't think it's a security issue since the popular MUAs tested >> above ignore it. > > This absolutely does NOT make it not a security issue. > > Short story: if someone wants to ignore the MIME-Version header, it > is at their own peril. But it absolutely, positively can NOT be the > default of any MIME parsing library. That is irresponsible coding. > > Closing this ticket because we already provide an OPTIONAL way of > parsing messages without checking for MIME-Version headers > ('forcemime').
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers