[jira] Commented: (MIME4J-57) Add a max limit to header length for parsing.

Sat, 20 Sep 2008 11:50:37 -0700 

    [ 
https://issues.apache.org/jira/browse/MIME4J-57?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12633000#action_12633000
 ] 

Oleg Kalnichevski commented on MIME4J-57:
-----------------------------------------

> I wonder whether a specific MimeException subclass might be more better. This 
> would allow a user to catch and retry with a longer line limit. 

Makes sense.

> Should probably add a few javadoc documentation lines into MimeEntityConfig 
> explaining why it needs to be cloneable since subclassers need to beware.

The class is made final to make sure it cannot be extended. So, this should not 
be an issue

> Alternatively, might be better just to make MimeEntityConfig immutable and so 
> avoid all this cloning. This would be my preferred solution.

I thought about it. However, this approach gets really cumbersome if you all 
you want to change just one parameter. 

I will commit the patch as is. You are welcome to make changes that you deem 
necessary.

Oleg

> Add a max limit to header length for parsing.
> ---------------------------------------------
>
>                 Key: MIME4J-57
>                 URL: https://issues.apache.org/jira/browse/MIME4J-57
>             Project: JAMES Mime4j
>          Issue Type: Bug
>    Affects Versions: 0.3
>            Reporter: Stefano Bagnara
>            Priority: Critical
>             Fix For: 0.5
>
>         Attachments: maxlinelen.patch
>
>
> MIME4J-55 showed issues with very long multipart mime boundary.
> It has been fixed by having the buffer size depending on the boundary length. 
> This create possible issues (OOM/DoS) with malicious messages.
> It would be good to define a maximum length for an header.
> Somewhere in mime rfc or smtp rfc there is a maximum of 998+CRLF ascii bytes 
> per line, of course we may want to support longer headers, but not very long 
> ones.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to