What's Changed
- Strip control characters (CR/LF) from attachment filenames and from decoded header parameter and MIME-encoded-word values -- thanks @iliaal
- Add configurable limits to MIME parsing, each recording a parse error when reached (override via DI config) -- thanks @iliaal:
maxMimePartDepth(default 256) — maximum multipart nesting depthmaxHeaderCount(default 1000) — maximum headers per partmaxHeaderSizeBytes(default 1048576) — maximum total header bytes per part
- Append child parts in O(n) rather than O(n²) -- thanks @iliaal.
- Generate MIME boundaries with
random_bytes()-- thanks @iliaal.
Security
This release fixes two privately reported vulnerabilities:
- GHSA-36h5-qg4p-q2qf -- CRLF header injection via attachment filename.
- GHSA-f6v3-2qmr-vfjx -- uncontrolled resource consumption (CPU/memory) when parsing untrusted MIME.
Found and reported privately by @iliaal, who also proposed fixes that informed the patches. Upgrading is recommended.