Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Emails being sent to NC contacts has recipient's email address duplicated in display-name #10530

Open
mjog opened this issue Dec 24, 2024 · 1 comment
Open

Emails being sent to NC contacts has recipient's email address duplicated in display-name #10530

mjog opened this issue Dec 24, 2024 · 1 comment
Labels
0. to triage bug

Comments

@mjog
Copy link

mjog commented Dec 24, 2024
edited
Loading

Steps to reproduce

  1. Send an email to a NC contact selected via autocomplete, e.g. Test Contact that has email address [email protected]
  2. View the source of the email that was sent
  3. Observe the To header value

Expected behavior

The To header has value "Test Contact" <[email protected]> and hence does to trigger Display Name spoofing attack mitigations.

Actual behavior

The To header has value "Test Contact ([email protected])" <[email protected]>, which triggers Display Name spoofing attack mitigations.

Mail app version

4.1.1

Nextcloud version

30.0.4

Mailserver or service

Postfix + Dovecot

Operating system

Linux

PHP engine version

PHP 8.2

Nextcloud memory caching

N/A

Web server

Apache (supported)

Database

MariaDB

Additional info

No response
@mjog
Copy link
Author

mjog commented Dec 24, 2024

Oh, just to be clear, I'm not sure if NC Mail itself implements any Display Name spoofing attack mitigations (if not, it should), but the mitigations I am talking about being triggered by t his behaviour are in other MTAs/MUAs.

@mjog mjog changed the title Emails being sent to NC contacts recipient's email address duplicated in display-name Emails being sent to NC contacts has recipient's email address duplicated in display-name Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. to triage bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mjog