Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Email-Address CPAN distribution.

Report information
The Basics
Id: 52966
Status: resolved
Priority: 0/
Queue: Email-Address
People
Owner: Nobody in particular
Requestors: cb [...] df7cb.de
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.889
Fixed in: (no value)

History Show all quoted text
  Tue Dec 22 05:52:35 2009 cb [...] df7cb.de - Ticket created
Subject: Email::Address takes very long to parse weird strings
The header contained in the attached file makes Email::Address->parse take very long to complete; our amavisd-new instance kills the subprocess after 8 minutes. Of course, the header is all weird and probably broken, and I don't even expect correct parsing results, but still, this is some DoS attack vector. How to reproduce: $ cat run.pl use Email::Address; undef $/; my $a = <>; $a =~ s/^To: //; print Email::Address->parse($a); $ perl run.pl < to.txt We also have a much shorter (some 100 bytes) header that makes the run time explode that I'll attach as soon I can find it...
Subject: to.txt

Message body is not shown because it is too large.

  Tue Jan 19 08:43:02 2010 cb [...] df7cb.de - Correspondence added
From: cb [...] df7cb.de
Am Di 22. Dez 2009, 05:52:35, myon schrieb: Show quoted text
> We also have a much shorter (some 100 bytes) header that makes the run > time explode that I'll attach as soon I can find it...
Here is it. I cannot reproduce it, though, I guess the problem vanished with some perl upgrade, there's some very old (possibly pre 5.8) version on that customer machine. use Email::Address; print Email::Address->parse('xxxxxxxxx.xxxxxxx @xxx.xxxx.de '); # note the trailing spaces on localpart and domain The problem stated in the first mail is still valid.
  Tue Jan 19 08:45:20 2010 cb [...] df7cb.de - Correspondence added
From: cb [...] df7cb.de
Show quoted text
> print Email::Address->parse('xxxxxxxxx.xxxxxxx > @xxx.xxxx.de '); # note the > trailing spaces on localpart and domain
To clarify, as it's not visible in the web interface: these are >30 spaces each.
  Tue Dec 18 16:01:55 2012 RUZ [...] cpan.org - Correspondence added
I believe this was fixed by shrinking space only sequences into one space. I think it's ok to close the ticket. -- Best regards, Ruslan.
  Tue Dec 18 16:01:56 2012 The RT System itself - Status changed from 'new' to 'open'
  Wed Feb 27 21:02:56 2013 rjbs [...] cpan.org - Correspondence added
Resolved as suggested. -- rjbs
  Wed Feb 27 21:02:57 2013 rjbs [...] cpan.org - Status changed from 'open' to 'resolved'