Skip to content

Reject RFC 2047 encoded-words in address validation #652

Description

@bbottema

A private report pointed out that RFC 2047 encoded-word syntax can be placed in an email address local-part and currently passes Simple Java Mail's default send-time address validation, for example:

String address = "=?utf-8?q?=40evil.com=00?=@microsoft.com";

Triage result:

  • RFC 2047 encoded-words are explicitly forbidden inside an addr-spec; they are only valid in selected header text/name positions such as a display-name phrase.
  • Current Simple Java Mail validation delegates address validity to the configured validator, which lets this form pass.
  • Angus/Jakarta Mail sends the SMTP envelope recipient literally as RCPT TO:<=?utf-8?q?=40evil.com=00?=@microsoft.com>; I could not reproduce the reported claim that Simple Java Mail or Angus Mail decodes this into delivery to the embedded domain.

Even though the routing claim is not reproduced, Simple Java Mail should reject RFC 2047 encoded-word syntax in address fields because the address is invalid and can confuse downstream domain-policy code that inspects Recipient#getAddress().

Scope:

  • Reject encoded-words in sender, recipients, reply-to, bounce-to, DSN, and receipt address fields during validation.
  • Keep encoded-word/display-name handling untouched; the restriction only applies to the address spec value.
  • No API shape change.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions