search

msimerson / mail-dmarc

Mail::DMARC, a complete DMARC implementation in Perl
Other
33 stars 23 forks source link

use MIME::Entity and MIME::Parser from MIME::Tools instead of Email::MIME #216

Closed mirespace closed 5 months ago

mirespace commented 8 months ago

Hi again,

I continue with the work to make libmail-dmarc-perl a package that belongs to Ubuntu main (5-10 years of support by the Ubuntu team) through the Main Inclusion Request (MIR) [0].

Inside this work, I need to analyze its dependencies among other things, and I want to share my findings about the Email::MIME dependency [1]. And I would like to get your opinion on this, if you don't mind... it would be very useful for this MIR effort (thanks in advance!).

[Is]([url]()) your feature request related to a problem? Please describe. When I was reviewing that dependency, I found the following issue

"DoS on excessive or deeply nested parts "

reported to rjbs/Email-MIME [2] and also to Debian [3], with no luck in getting answers.

Describe the solution you'd like Because we cannot be 100% sure if the module was free of risk due to the issue, we explore other alternatives. Then we came across MIME::Tools (https://metacpan.org/pod/MIME::Tools). MIME:Tools use Mail:Internet instead of Email::Simple for the email composition.

Describe alternatives you've considered I decided to give it a try, and I made the changes to use MIME::Entity and MIME::Parser from MIME::Tools instead of Email::MIME, without touching calls and uses of Email::Simple to make less disruption to reporting features of Mail::DMARC.

The proposed patch is the following one: patch-to-use-libmime-tools.tar.gz

The tests are passing:

All tests successful.
Files=20, Tests=652, 5 wallclock secs ( 0.08 usr 0.01 sys + 4.06 cusr 0.42 csys = 4.57 CPU)
Result: PASS

Additional context I have a working Ubuntu package with this patch at https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested/+sourcepub/15534403/+listing-archive-extra , for our development Ubuntu series (noble).

What do you think? Thanks again.

[0] https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971 [1] https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880 [2] https://github.com/rjbs/Email-MIME/issues/66 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062

msimerson commented 8 months ago

I chose Email::* back in the day because it was quite a lot smaller and required installing a smaller percentage of CPAN than the more popular tools. Whether that choice is still for the best is outside my ken. I'll defer this to @marcbradshaw , but for now I suggest creating a PR as that's a dandy spot to have such a conversation.

marcbradshaw commented 8 months ago

I will look into the current state of Email::MIME and report back, however the Email::MIME changelog suggests this is no longer an issue.

marcbradshaw commented 6 months ago

Sorry for the delay in getting to this, talking to the maintainer of Email::MIME I'm confident that this issue has been fixed, and that we would have a timely resolution to critical issues in the future.