starred/anonaddy
1
0
Fork 0
mirror of https://github.com/anonaddy/anonaddy.git synced 2026-04-25 14:15:53 +03:00
Code Issues 103 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #525] Use of rtrim before encryption introduces blank line in headers when header contains lines with only whitespace characters #950

New issue
Open
opened 2026-03-14 11:17:14 +03:00 by kerem · 1 comment
kerem commented 2026-03-14 11:17:14 +03:00
Owner
Copy link

Originally created by @alexaka1 on GitHub (Sep 22, 2023).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/525

I have setup an alias to a GOG account, and I forward it to an email. Encryption is turned on, although I don't think it matters (I have disabled encryption for now, but GOG is yet to send the next newsletter).

When I receive the email it contains a partial header in the body, and then the email html is included as multipart/mixed content-type.
The email header contains a List-Unsubscribe key and the value contains a new line with 2 spaces.

List-Unsubscribe: <mailto:unsubscribe+redacted@emsgrid.com?subject=redacted>,
  
 <https://gog.salesmanago.com/optOut.htm?uid=redacted&sec=redacted&conversation=redacted&optOutLanguage=en&auto=true>

The email body that I see in the client starts exactly after the new line, and contains the <url> and the the remaining part of the header.

I have enabled a different mail client as the forward address to see if this is a provider issue, as well as disabled encryption, to see if decryption goes wrong (also unlikely). I will update the post if a new email is sent out.
2FA emails from GOG don't contain a List-Unsubscribe, and are rendered correctly (even with encryption).

I have sent you two sample emails for investigation.

Edit: When encryption is off, the email is correctly handled by both providers, despite having the same header with the line-break. Interesting...

Originally created by @alexaka1 on GitHub (Sep 22, 2023). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/525 I have setup an alias to a GOG account, and I forward it to an email. Encryption is turned on, although I don't think it matters (I have disabled encryption for now, but GOG is yet to send the next newsletter). When I receive the email it contains a partial header in the body, and then the email html is included as multipart/mixed content-type. The email header contains a `List-Unsubscribe` key and the value contains a new line with 2 spaces. ``` List-Unsubscribe: <mailto:unsubscribe+redacted@emsgrid.com?subject=redacted>, <https://gog.salesmanago.com/optOut.htm?uid=redacted&sec=redacted&conversation=redacted&optOutLanguage=en&auto=true> ``` The email body that I see in the client starts exactly after the new line, and contains the `<url>` and the the remaining part of the header. I have enabled a different mail client as the forward address to see if this is a provider issue, as well as disabled encryption, to see if decryption goes wrong (also unlikely). I will update the post if a new email is sent out. 2FA emails from GOG don't contain a `List-Unsubscribe`, and are rendered correctly (even with encryption). I have sent you two sample emails for investigation. Edit: When encryption is off, the email is correctly handled by both providers, despite having the same header with the line-break. Interesting...
kerem commented 2026-03-14 11:17:21 +03:00
Author
Owner
Copy link

@alexaka1 commented on GitHub (Sep 24, 2023):

Since then I have concluded that only the encrypted messages are messed up.
I have looked at the code and I think this code introduces a completely empty line in the email headers, because of the original header containing a line with 2 spaces.

github.com/anonaddy/anonaddy@045e82bae8/app/CustomMailDriver/Mime/Crypto/OpenPGPEncrypter.php (L143)

And since at this point the email is provided as is to gnupg for encryption, I looked for RFC-5322:

The body is simply a sequence of
characters that follows the header section and is separated from the
header section by an empty line (i.e., a line with nothing preceding
the CRLF).

So because GOG sends this strange header, AnonAddy cleans this up, but ends up introducing a bug, by inserting a blank line into the headers, which then gets interpreted as start of body by gnupg email parser.

So that was a rabbithole 🙂

I don't have an immediate solution to this, other than GOG smgrid.pl should not compose their headers in such a way. While their header is valid, according to the spec (there are characters before crlf), it makes no sense why it is composed in such a way.

<!-- gh-comment-id:1732568996 --> @alexaka1 commented on GitHub (Sep 24, 2023): Since then I have concluded that only the encrypted messages are messed up. I have looked at the code and I think this code introduces a completely empty line in the email headers, because of the original header containing a line with 2 spaces. https://github.com/anonaddy/anonaddy/blob/045e82bae8ec559e41274e3d8f286807376492b4/app/CustomMailDriver/Mime/Crypto/OpenPGPEncrypter.php#L143 And since at this point the email is provided as is to gnupg for encryption, I looked for [RFC-5322](https://www.rfc-editor.org/rfc/rfc5322#section-2.1): > The body is simply a sequence of characters that follows the header section and is separated from the header section by an empty line (i.e., a line with nothing preceding the CRLF). So because GOG sends this strange header, AnonAddy cleans this up, but ends up introducing a bug, by inserting a blank line into the headers, which then gets interpreted as `start of body` by gnupg email parser. So that was a rabbithole 🙂 I don't have an immediate solution to this, other than ~~GOG~~ smgrid.pl should not compose their headers in such a way. While their header is valid, according to the spec (there are characters before `crlf`), it makes no sense why it is composed in such a way.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.5.0
v1.4.1
v1.4.0
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.14.1
v0.14.0
v0.13.13
v0.13.12
v0.13.11
v0.13.10
v0.13.9
v0.13.8
v0.13.7
v0.13.6
v0.13.5
v0.13.4
v0.13.3
v0.13.2
v0.13.1
v0.13.0
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.11.2
v0.11.1
v0.11.0
v0.10.1
v0.10.0
v0.9.1
v0.9.0
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.5
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.13
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/anonaddy#950
No description provided.