report a bug |  advanced search |  statistics |  developer log in/out
Bug #33 mlmmj uses From whereas it should use Envelope-From
Submitted: 2012-01-10 08:59 UTC Modified: 2018-01-16 13:15 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: wavexx at thregr dot org Assigned:
Status: Open
Mlmmj Version: 1.2.17 OS:
MTA: MTA Version:
View Add Comment Developer Edit
You must login as a developer to do anything here. You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
 [2012-01-10 08:59 UTC] wavexx at thregr dot org
Description:
------------
In mlmmj-process there seems to be absolutely _no_ distinction of Envelope-from and From. From: is used anywhere by restricting it to the first valid From: address. Looks broken to me, especially when checking  for loops (comparing list-address against From). Envelope-From should be used everywhere instead (which, by the way is unique in the message and thus easier to handle), while trying to preserve the supplied From: in the message.

mlmmj breaks gmane! And gmane is doing the Right Thing(r) here by faking the From: sender and setting a correctly subscribed envelope-from.

The proposed solutions that circle in the list archives are equally broken:

  http://mlmmj.org/archive/mlmmj/2011-01/1891.html

this will allow anyone to easily send spam through a fake a gmane header. Faking evenlope-from is much harder when using DKIM or similar solutions.

I patched mlmmj so that Envelope-from: is used for 
processing/subonlypost and access control. From: is used only when 
generating the body of help messages.

This fixed gmane for me.

I also shuffled mlmmj-process.c so that address validation checks are 
performed before using the addresses themselves. listprocess.c could 
also use some extra-cleanup (efrom is validated in 10 different places, 
but could probably be done just once in mlmmj-process.c when efrom is 
extracted).

The patch[1] has been sitting idle in the mailing list for a long time now. I decided to file a proper bug report, since I consider this to be a bug in a mailing list software.

[1] http://mlmmj.org/archive/mlmmj/2011-09/2023.html

Thanks



Patches

mlmmj-envelope-from.patch (last revision 2012-01-10 01:09 UTC) by wavexx at thregr dot org)

Add a Patch

History

AllCommentsChanges
 [2014-01-14 21:26 UTC] wavexx at thregr dot org
Still using mlmmj with this patch ever since.
 [2018-01-16 13:15 UTC] maintainer at mlmmj dot org
I'm not sure whether or not I agree with this change. It has far reaching consequences and breaks backward compatibility significantly. The implications need to be thought through and a migration path determined. It may need to be configurable, then the old behaviour deprecated, then removed. If it's the right thing to do at all. I'm going to try to deal with some other tasks and then come back to this for further thought and probably a fresh discussion on the mailing list.
 
Based on the PHP bug tracker.
Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jan 30 01:27:44 2013 UTC