IndexError if spf_results.smtp_mailfrom only contains a domain (and no local part) #33
Description
Issue description
If an Authentication-Results-section is evaluate (via authenticate_message(...) method) and the SPF smtp.mailfrom information contains only a domain (not a mail address) (e.g. spf=pass smtp.mailfrom=example.com) the library will throw an IndexError.
Dec 19 18:03:25 2024 (534425) Uncaught runner exception: list index out of range
Dec 19 18:03:25 2024 (534425) Traceback (most recent call last):
[...]
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 396, in authenticate_message
dmarc_result = check_dmarc(msg, spf_result, dkim_result, dnsfunc=dnsfunc, psddmarc=psddmarc)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 344, in check_dmarc
result, result_comment, from_domain, policy = dmarc_per_from(from_domain, spf_result, dkim_result, dnsfunc, psddmarc)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 234, in dmarc_per_from
mail_from_domain = get_domain_part(spf_result.smtp_mailfrom)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/authheaders/__init__.py", line 53, in get_domain_part
return res[0].lower().decode('ascii')
~~~^^^
IndexError: list index out of range
Versions
- Debian Version=
12.1 python3-authheaders=0.15.2-1(https://packages.debian.org/bookworm/python3-authheaders)- Issue also exists in ValiMail/authentication-headers - Master or Tag <= 0.16.3
Analysis
As referenced in RFC7208 - 9.2. -SPF Results in the Authentication-Results Header Field the SPF check information smtp.mailfrom can be equal to a FQDN or a mail address. From a data protection perspective only the FQDN is recommended, cause the SPF check do not require the local part of an mail address.
This is also mentioned within this project and incorrectly set to none if an IndexError occurs:
authentication-headers/authheaders/__init__.py
Lines 233 to 239 in 9c62915
The relevant code is here:
authentication-headers/authheaders/__init__.py
Lines 46 to 53 in 9c62915
But the regex will only work if an @-sign is provided, otherwise res = [] will be empty and any index access will throw an IndexError.
"Solution"
The regex should be able to extract the domain part correctly.
I was not able to find a (simple) valid regex without including an external library to extract the domain part (https://en.wikipedia.org/wiki/Email_address#Domain) of any given valid mail address within the smtp.mailfrom=... field.
A hotfix-solution is a split of the mailfrom-strings corresponding to valid domain characters and take the last element of the result, like:
- res = re.findall(b'@([a-z0-9.]+)', address, re.IGNORECASE)
+ res = re.findall(b'([a-z0-9-.]+\.[a-z]{2,})', address, re.IGNORECASE)
- return res[0].lower().decode('ascii')
+ return res[-1].lower().decode('ascii')As there are existing test cases adding a new test case will show that will work and not interfere with old possible checked strings:
- froms_to_test = [['test@example.com', 'example.com'], [""""Test, User" <test@example.com>""", 'example.com'], ["""Test User <test@sub2.example.biz>""", 'sub2.example.biz'], ["""=?UTF-8?B?QmVkIEJhdGggJiBCZXlvbmQ=?=<BdBth&Byond@example.com>""", 'example.com'], ]
+ froms_to_test = [['example.com','example.com'], '['test@example.com', 'example.com'], [""""Test, User" <test@example.com>""", 'example.com'], ["""Test User <test@sub2.example.biz>""", 'sub2.example.biz'], ["""=?UTF-8?B?QmVkIEJhdGggJiBCZXlvbmQ=?=<BdBth&Byond@example.com>""", 'example.com'], ]authentication-headers/authheaders/test/test_authentication.py
Lines 153 to 157 in 9c62915