Issue description
If an Authentication-Results-section is evaluate (via authenticate_message(...) method) and the SPF smtp.mailfrom information contains only a domain (not a mail address) (e.g. spf=pass smtp.mailfrom=example.com) the library will throw an IndexError.
Dec 19 18:03:25 2024 (534425) Uncaught runner exception: list index out of range
Dec 19 18:03:25 2024 (534425) Traceback (most recent call last):
[...]
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 396, in authenticate_message
dmarc_result = check_dmarc(msg, spf_result, dkim_result, dnsfunc=dnsfunc, psddmarc=psddmarc)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 344, in check_dmarc
result, result_comment, from_domain, policy = dmarc_per_from(from_domain, spf_result, dkim_result, dnsfunc, psddmarc)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 234, in dmarc_per_from
mail_from_domain = get_domain_part(spf_result.smtp_mailfrom)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 53, in get_domain_part
return res[0].lower().decode('ascii')
~~~^^^
IndexError: list index out of range
Versions
Analysis
As referenced in RFC7208 - 9.2. -SPF Results in the Authentication-Results Header Field the SPF check information smtp.mailfrom can be equal to a FQDN or a mail address. From a data protection perspective only the FQDN is recommended, cause the SPF check do not require the local part of an mail address.
This is also mentioned within this project and incorrectly set to none if an IndexError occurs:
|
# The domain in SPF results often includes the local part, even though |
|
# generally it SHOULD NOT (RFC 7601, Section 2.7.2, last paragraph). |
|
try: |
|
mail_from_domain = get_domain_part(spf_result.smtp_mailfrom) |
|
except IndexError: |
|
mail_from_domain = None |
|
spf_result.smtp_mailfrom = mail_from_domain |
The relevant code is here:
|
def get_domain_part(address): |
|
'''Return domain part of an email address''' |
|
if sys.version_info < (3, 0) and isinstance(address, str): |
|
address = bytes(address) |
|
elif isinstance(address, str): |
|
address = bytes(address, 'utf8') |
|
res = re.findall(b'@([a-z0-9.]+)', address, re.IGNORECASE) |
|
return res[0].lower().decode('ascii') |
But the regex will only work if an @-sign is provided, otherwise res = [] will be empty and any index access will throw an IndexError.
"Solution"
The regex should be able to extract the domain part correctly.
I was not able to find a (simple) valid regex without including an external library to extract the domain part (https://en.wikipedia.org/wiki/Email_address#Domain) of any given valid mail address within the smtp.mailfrom=... field.
A hotfix-solution is a split of the mailfrom-strings corresponding to valid domain characters and take the last element of the result, like:
- res = re.findall(b'@([a-z0-9.]+)', address, re.IGNORECASE)
+ res = re.findall(b'([a-z0-9-.]+\.[a-z]{2,})', address, re.IGNORECASE)
- return res[0].lower().decode('ascii')
+ return res[-1].lower().decode('ascii')As there are existing test cases adding a new test case will show that will work and not interfere with old possible checked strings:
- froms_to_test = [['test@example.com', 'example.com'], [""""Test, User" <test@example.com>""", 'example.com'], ["""Test User <test@sub2.example.biz>""", 'sub2.example.biz'], ["""=?UTF-8?B?QmVkIEJhdGggJiBCZXlvbmQ=?=<BdBth&Byond@example.com>""", 'example.com'], ]
+ froms_to_test = [['example.com','example.com'], '['test@example.com', 'example.com'], [""""Test, User" <test@example.com>""", 'example.com'], ["""Test User <test@sub2.example.biz>""", 'sub2.example.biz'], ["""=?UTF-8?B?QmVkIEJhdGggJiBCZXlvbmQ=?=<BdBth&Byond@example.com>""", 'example.com'], ]
|
def test_get_domain_part(self): |
|
froms_to_test = [['test@example.com', 'example.com'], [""""Test, User" <test@example.com>""", 'example.com'], ["""Test User <test@sub2.example.biz>""", 'sub2.example.biz'], ["""=?UTF-8?B?QmVkIEJhdGggJiBCZXlvbmQ=?=<BdBth&Byond@example.com>""", 'example.com'], ] |
|
for body_from in froms_to_test: |
|
res = get_domain_part(body_from[0]) |
|
self.assertEqual(res, body_from[1]) |
Issue description
If an
Authentication-Results-section is evaluate (viaauthenticate_message(...)method) and the SPFsmtp.mailfrominformation contains only a domain (not a mail address) (e.g.spf=pass smtp.mailfrom=example.com) the library will throw anIndexError.Versions
12.1python3-authheaders=0.15.2-1(https://packages.debian.org/bookworm/python3-authheaders)Analysis
As referenced in RFC7208 - 9.2. -SPF Results in the Authentication-Results Header Field the SPF check information
smtp.mailfromcan be equal to a FQDN or a mail address. From a data protection perspective only the FQDN is recommended, cause the SPF check do not require the local part of an mail address.This is also mentioned within this project and incorrectly set to
noneif anIndexErroroccurs:authentication-headers/authheaders/__init__.py
Lines 233 to 239 in 9c62915
The relevant code is here:
authentication-headers/authheaders/__init__.py
Lines 46 to 53 in 9c62915
But the regex will only work if an
@-sign is provided, otherwiseres = []will be empty and any index access will throw anIndexError."Solution"
The regex should be able to extract the domain part correctly.
I was not able to find a (simple) valid regex without including an external library to extract the domain part (https://en.wikipedia.org/wiki/Email_address#Domain) of any given valid mail address within the
smtp.mailfrom=...field.A hotfix-solution is a split of the
mailfrom-strings corresponding to valid domain characters and take the last element of the result, like:As there are existing test cases adding a new test case will show that will work and not interfere with old possible checked strings:
authentication-headers/authheaders/test/test_authentication.py
Lines 153 to 157 in 9c62915