Safeguard subject property (and others) against SMTP CRLF injection attacks #88

bbottema · 2017-08-09T08:13:11Z

It is possible to set a subject which contains newlines and custom SMTP protocol directives which directly sets the body of the email. This can be an issue when the subject comes from an external resource.

As a matter of precaution, Simple Java Mail should simply remove newline characters from all values (except for the body).

Also see:

…king the entire email (except for the DKIM properties)

bbottema · 2017-08-12T12:40:49Z

Released in 4.3.0.

bbottema added this to the 4.3.0 milestone Aug 9, 2017

bbottema added Priority-Low security labels Aug 9, 2017

bbottema added a commit that referenced this issue Aug 12, 2017

#88 Added validation checks for suspicious injection characters. Chec…

12aac84

…king the entire email (except for the DKIM properties)

bbottema self-assigned this Aug 12, 2017

bbottema changed the title ~~Subject property (and possible others) can be abused for injection attacks~~ Safeguard subject property (and others) against SMTP CRLF injection attacks Aug 12, 2017

bbottema closed this as completed Aug 12, 2017

bbottema added the major feature label Jul 22, 2018

bbottema mentioned this issue Mar 9, 2019

Header validation tripping on known safe emails due to References header #171

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Safeguard subject property (and others) against SMTP CRLF injection attacks #88

Safeguard subject property (and others) against SMTP CRLF injection attacks #88

bbottema commented Aug 9, 2017 •

edited

Loading

bbottema commented Aug 12, 2017

Safeguard subject property (and others) against SMTP CRLF injection attacks #88

Safeguard subject property (and others) against SMTP CRLF injection attacks #88

Comments

bbottema commented Aug 9, 2017 • edited Loading

bbottema commented Aug 12, 2017

bbottema commented Aug 9, 2017 •

edited

Loading