New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/mail: mail ParseAddressList can bypass and panic #43714
Comments
It seems we should check on addrs number at the end of parseAddressList https://golang.org/src/net/mail/message.go?s=5170:5224#L307 if p.empty() {
break
}
}
return list, nil // we shoud check it here I can send a CL for this issue , Is it OK for you ? @cor0ps |
@mengzhuo mengzhuo you can make a issuse and have questions can contact with me wechat:SuperTao99
I aggree with you |
@odeke-em I found this use gofuzz tools and i think this have a securtiy problem and this can get a CVE id ? thanks |
I don't think it's a CVE, RFC 5322 stated that empty group is allowed. |
What version of Go are you using (
go version
)?What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
https://play.golang.org/p/efQXFJo-TIC
What did you expect to see?
first input
"":;
can bypasssecond is panic: mail: no address
What did you see instead?
panic: mail: no address
The text was updated successfully, but these errors were encountered: