Merge pull request #496 from wneessen/bugfix/495_mail-address-parsing

Fix vulnerability in mail address passing to the smtp client

Author: wneessen

b64linebreaker.go

@@ -42,7 +42,7 @@ type base64LineBreaker struct {
 func (l *base64LineBreaker) Write(data []byte) (numBytes int, err error) {
 	if l.out == nil {
 		err = errors.New("no io.Writer set for base64LineBreaker")
-		return
+		return numBytes, err
 	}
 	if l.used+len(data) < MaxBodyLength {
 		copy(l.line[l.used:], data)
@@ -52,25 +52,25 @@ func (l *base64LineBreaker) Write(data []byte) (numBytes int, err error) {
 
 	_, err = l.out.Write(l.line[0:l.used])
 	if err != nil {
-		return
+		return numBytes, err
 	}
 	excess := MaxBodyLength - l.used
 	l.used = 0
 
 	numBytes, err = l.out.Write(data[0:excess])
 	if err != nil {
-		return
+		return numBytes, err
 	}
 
 	_, err = l.out.Write(newlineBytes)
 	if err != nil {
-		return
+		return numBytes, err
 	}
 
 	var n int
 	n, err = l.Write(data[excess:]) // recurse
 	numBytes += n
-	return
+	return numBytes, err
 }
 
 // Close finalizes the base64LineBreaker, writing any remaining buffered data and appending a newline.
@@ -85,10 +85,10 @@ func (l *base64LineBreaker) Close() (err error) {
 	if l.used > 0 {
 		_, err = l.out.Write(l.line[0:l.used])
 		if err != nil {
-			return
+			return err
 		}
 		_, err = l.out.Write(newlineBytes)
 	}
 
-	return
+	return err
 }

client.go

@@ -1261,7 +1261,7 @@ func (c *Client) SendWithSMTPClient(client *smtp.Client, messages ...*Msg) (retu
 			Reason: ErrConnCheck, errlist: []error{err}, isTemp: isTempError(err),
 			errcode: errorCode(err), enhancedStatusCode: enhancedStatusCode(err, escSupport),
 		}
-		return
+		return returnErr
 	}
 
 	var errs []error
@@ -1279,7 +1279,7 @@ func (c *Client) SendWithSMTPClient(client *smtp.Client, messages ...*Msg) (retu
 		}
 	}
 
-	return
+	return returnErr
 }
 
 // auth attempts to authenticate the client using SMTP AUTH mechanisms. It checks the connection,

doc.go

@@ -11,4 +11,4 @@ package mail
 
 // VERSION indicates the current version of the package. It is also attached to the default user
 // agent string.
-const VERSION = "0.7.0"
+const VERSION = "0.7.1"

eml.go

@@ -538,7 +538,7 @@ func parseMultiPartHeader(multiPartHeader string) (header string, optional map[s
 	headerSplit := strings.Split(multiPartHeader, ";")
 	header = headerSplit[0]
 	if len(headerSplit) == 1 {
-		return
+		return header, optional
 	}
 	for _, opt := range headerSplit[1:] {
 		optString := strings.TrimLeft(opt, " ")
@@ -547,7 +547,7 @@ func parseMultiPartHeader(multiPartHeader string) (header string, optional map[s
 			optional[optSplit[0]] = optSplit[1]
 		}
 	}
-	return
+	return header, optional
 }
 
 // parseEMLAttachmentEmbed parses a multipart that is an attachment or embed.

msg.go

@@ -1495,10 +1495,12 @@ func (m *Msg) GetSender(useFullAddr bool) (string, error) {
 			return "", ErrNoFromAddress
 		}
 	}
-	if useFullAddr {
-		return from[0].String(), nil
+
+	addr := from[0]
+	if !useFullAddr {
+		addr.Name = ""
 	}
-	return from[0].Address, nil
+	return addr.String(), nil
 }
 
 // GetRecipients returns a list of the currently set "TO", "CC", and "BCC" addresses for the Msg.
@@ -1522,7 +1524,8 @@ func (m *Msg) GetRecipients() ([]string, error) {
 			continue
 		}
 		for _, r := range addresses {
-			rcpts = append(rcpts, r.Address)
+			r.Name = ""
+			rcpts = append(rcpts, r.String())
 		}
 	}
 	if len(rcpts) <= 0 {