james-mime4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raffaele Gambelli (JIRA)" <mime4j-...@james.apache.org>
Subject [jira] [Commented] (MIME4J-186) QP encoding and dotstuffing issues (let's encode the "." to "=2E")
Date Wed, 26 Sep 2018 07:24:00 GMT

    [ https://issues.apache.org/jira/browse/MIME4J-186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16628345#comment-16628345
] 

Raffaele Gambelli commented on MIME4J-186:
------------------------------------------

This issue should be absolutely reconsidered, in my opinion you have introduced a big bug,
because for the quotable printable encoding all printable ASCII characters (decimal values
between 33 and 126) may be represented by themselves, except = (decimal 61).

I've explained in [issue MIME4J-282|https://issues.apache.org/jira/browse/MIME4J-282] the
main consequence of having encoded *all dots*, in summary mime4j library is not able to return
the original raw message, this is a real message tampering which produces messages not compliant
with their digital signature (all certified/registered messages, a kind of messages used more
and more by many countries [rfc6109|https://tools.ietf.org/html/rfc6109])


> QP encoding and dotstuffing issues (let's encode the "." to "=2E")
> ------------------------------------------------------------------
>
>                 Key: MIME4J-186
>                 URL: https://issues.apache.org/jira/browse/MIME4J-186
>             Project: James Mime4j
>          Issue Type: Improvement
>          Components: dom
>    Affects Versions: 0.6
>            Reporter: Stefano Bagnara
>            Assignee: Stefano Bagnara
>            Priority: Minor
>             Fix For: 0.7
>
>
> There are non compliant SMTP/POP tools/gateway/filters out there doing bad stuff with
dot stuffing.
> I send trackable emails and I have trackable urls with "." in their path: I estimated
that when a "." ends up at the end or at the beginnning of a line (in the qp encoded html
part) between 0.5% and 1% of recipients receive a bad url (having ".." instead of "." or 
having the stripped ".")
> I identified at least AVG spam filter show a bad behaviour when filtering spam for generic
mail client (but not when used with outlook). It seems that AVG intercept the tcp connection
and does its own stuff and this way it breaks when dots are at the beginning or end of a line.
> Of course the example is about an url because it is the one I'm able to monitor and to
have statistical evidence, but this happens with any DOT in the message, even in text plain
parts. You understand that having the message "altered" also break dkim/gpg signatures.
> One way to fix this is to change the Quoted Printable encode to make sure to encode also
the DOTs. This make the QP encoded part a bit less readable (who reads them manually today??)
but it protect the stream from uncompliant mail agents. We could even encode the "." only
when it is the first or the last of the line but I think it would be a "weird" behaviour so
I propose to simply add the "." to the list of chars to be encoded.
> I think that this could be the new behaviour and that making this configurable is a bit
"over-configurability", but if people things it should be configurable then please propose
a way to configure the behaviour. The RFC give us freedom with this regard (specify what chars
HAVE TO be encoded and what MAY be left unencoded, but one could even encode every single
char).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message