Security: Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection ([GHSA-54wq-72mp-cq7c](https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c))

2026-06-27 22:46:09 +00:00 · 2026-01-15 11:59:59 +13:00
parent 2734efbc66
commit 36cc06c125
1 changed files with 23 additions and 2 deletions
--- a/internal/smtpd/smtpd.go
+++ b/internal/smtpd/smtpd.go
@@ -15,6 +15,7 @@ import (
 	"io/fs"
 	"log"
 	"net"
+	"net/mail"
 	"os"
 	"regexp"
 	"strconv"
@@ -421,7 +422,7 @@ loop:
 				break
 			}

-			match := mailFromRE.FindStringSubmatch(args)
+			match := extractAndValidateAddress(mailFromRE, args)
 			if match == nil {
 				s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid FROM parameter)")
 			} else {
@@ -477,7 +478,7 @@ loop:
 				break
 			}

-			match := rcptToRE.FindStringSubmatch(args)
+			match := extractAndValidateAddress(rcptToRE, args)
 			if match == nil {
 				s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid TO parameter)")
 			} else {
@@ -1014,3 +1015,23 @@ func (s *session) handleAuthCramMD5() (bool, error) {

 	return authenticated, err
 }
+
+// Extract and validate email address from a regex match.
+// This ensures that only RFC 5322 email addresses are accepted (if set).
+func extractAndValidateAddress(re *regexp.Regexp, args string) []string {
+	match := re.FindStringSubmatch(args)
+	if match == nil || strings.Contains(match[1], " ") {
+		return nil
+	}
+
+	// first argument will be the email address, validate it if not empty
+	if match[1] != "" {
+		// fmt.Println("Validating email address:", match[1])
+		_, err := mail.ParseAddress(match[1])
+		if err != nil {
+			return nil
+		}
+	}
+
+	return match
+}