update
This commit is contained in:
@@ -11,6 +11,7 @@ import type { ISmtpSession, ISmtpTransactionResult } from './interfaces.js';
|
||||
import type { IDataHandler, ISessionManager } from './interfaces.js';
|
||||
import { SmtpResponseCode, SMTP_PATTERNS, SMTP_DEFAULTS } from './constants.js';
|
||||
import { SmtpLogger } from './utils/logging.js';
|
||||
import { detectHeaderInjection } from './utils/validation.js';
|
||||
import { Email } from '../../core/classes.email.js';
|
||||
import { UnifiedEmailServer } from '../../routing/classes.unified.email.server.js';
|
||||
|
||||
@@ -599,6 +600,17 @@ SmtpLogger.debug(`Parsed email subject: ${subject}`, { subject });
|
||||
const name = line.substring(0, separatorIndex).trim().toLowerCase();
|
||||
const value = line.substring(separatorIndex + 1).trim();
|
||||
|
||||
// Check for header injection attempts in header values
|
||||
if (detectHeaderInjection(value)) {
|
||||
SmtpLogger.warn('Header injection attempt detected in email header', {
|
||||
headerName: name,
|
||||
headerValue: value.substring(0, 100) + (value.length > 100 ? '...' : ''),
|
||||
sessionId: session.id
|
||||
});
|
||||
// Skip this header to prevent injection
|
||||
continue;
|
||||
}
|
||||
|
||||
// Special handling for MIME-encoded headers (especially Subject)
|
||||
if (name === 'subject' && value.includes('=?')) {
|
||||
try {
|
||||
|
Reference in New Issue
Block a user