mlmmj :: Bug #33 :: mlmmj uses From whereas it should use Envelope-From

[2012-01-09 20:59 UTC] wavexx at thregr dot org

Description:
------------
In mlmmj-process there seems to be absolutely _no_ distinction of Envelope-from and From. From: is used anywhere by restricting it to the first valid From: address. Looks broken to me, especially when checking for loops (comparing list-address against From). Envelope-From should be used everywhere instead (which, by the way is unique in the message and thus easier to handle), while trying to preserve the supplied From: in the message.

mlmmj breaks gmane! And gmane is doing the Right Thing(r) here by faking the From: sender and setting a correctly subscribed envelope-from.

The proposed solutions that circle in the list archives are equally broken:

http://mlmmj.org/archive/mlmmj/2011-01/1891.html

this will allow anyone to easily send spam through a fake a gmane header. Faking evenlope-from is much harder when using DKIM or similar solutions.

I patched mlmmj so that Envelope-from: is used for
processing/subonlypost and access control. From: is used only when
generating the body of help messages.

This fixed gmane for me.

I also shuffled mlmmj-process.c so that address validation checks are
performed before using the addresses themselves. listprocess.c could
also use some extra-cleanup (efrom is validated in 10 different places,
but could probably be done just once in mlmmj-process.c when efrom is
extracted).

The patch[1] has been sitting idle in the mailing list for a long time now. I decided to file a proper bug report, since I consider this to be a bug in a mailing list software.

[1] http://mlmmj.org/archive/mlmmj/2011-09/2023.html

Thanks

	report a bug \| advanced search \| statistics \| developer log in/out
go to bug id or search bugs for