Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: harden phishing detection against missing and malformed headers #10760

Merged
merged 1 commit into from
Feb 27, 2025
Merged

fix: harden phishing detection against missing and malformed headers #10760

merged 1 commit into from
Feb 27, 2025

Conversation

st3iny
Copy link
Member

@st3iny st3iny commented Feb 27, 2025
edited
Loading

Fix #10753
Fix #10361

Ref #10602

Closes #10371 (alternative to)

Before: Emails with missing headers can't be opened, for example, the date header.
After: Emails can be opened again.

(See the referenced tickets for some example EML files to test this with).

@st3iny st3iny added this to the v4.3.0 milestone Feb 27, 2025
@st3iny st3iny self-assigned this Feb 27, 2025
@st3iny
Copy link
Member Author

st3iny commented Feb 27, 2025

/backport to stable4.2

st3iny
st3iny commented Feb 27, 2025
View reviewed changes
lib/Service/PhishingDetection/DateCheck.php
Comment on lines -30 to +29
} catch (DateException $e) {
} catch (\Exception $e) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not ideal, but on my instance the time factory throws a generic Exception.

{
	"type": "Exception",
	"message": "Failed to parse time string (Wed, 26 Feb 2025 12:09:28 +0100 (GMT+01:00)) at position 36 (+): Double timezone specification",
}

kesselb
kesselb approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@kesselb kesselb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

Some tests would be nice though ;)

@st3iny st3iny force-pushed the fix/phishing-detection-hardening branch from 8c6b678 to f8338e6 Compare February 27, 2025 14:21
@st3iny st3iny changed the title fix: harden phishing detection against missing headers fix: harden phishing detection against missing and malformed headers Feb 27, 2025
@st3iny
Copy link
Member Author

st3iny commented Feb 27, 2025

Done, I added some unit tests and more test data.

@kesselb kesselb merged commit 6e67397 into main Feb 27, 2025
35 checks passed
@kesselb kesselb deleted the fix/phishing-detection-hardening branch February 27, 2025 15:02
@backportbot backportbot bot mentioned this pull request Feb 27, 2025
Merged
@nextcloud nextcloud deleted a comment from backportbot bot Feb 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kesselb kesselb kesselb approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst ChristophWurst is a code owner

@GretaD GretaD Awaiting requested review from GretaD GretaD is a code owner

Assignees

@st3iny st3iny

Labels
3. to review bug
Projects
💌 📅 👥 Groupware team
Status: ☑️ Done
Milestone
v4.3.0
Development

Successfully merging this pull request may close these issues.

email content shows "not found" Mail not found, but whole source available
2 participants
@st3iny @kesselb