Page MenuHomePhabricator

Security review of Plancake e-mail parser library
Closed, ResolvedPublic

Description

Gerrit change I5cc3d2eda7188628fd016950a16ffe63c2ae6f6f proposes adding the Plancake e-mail parser library to the mediawiki/vendor repository. This addition needs to be approved by the security team.


Version: unspecified
Severity: normal

Details

Reference
bz72956

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:45 AM
bzimport added a project: MediaWiki-Vendor.
bzimport set Reference to bz72956.

The library was already approved in https://bugzilla.wikimedia.org/show_bug.cgi?id=69099#c3 so I think this just needs to be acknowledged here for bookkeeping purposes.

I thought there was more to it than just https://github.com/floriansemm/official-library-php-email-parser/blob/master/PlancakeEmailParser.php, but it looks like that's all there is?

I can't speak for the correctness for the email parsing, but the code shouldn't be able to harm the site.

It does pass user controlled data to the in_charset of iconv. I don't think there should be an issue there, but I'm going to check out iconv again..

csteipp subscribed.

It does pass user controlled data to the in_charset of iconv. I don't think there should be an issue there, but I'm going to check out iconv again..

Just hands it off to the system library. Hopefully that's sane. Good enough for me.