Backporting commits from July 3rd and 4th to 2.x branch needed?

[dodmi]

Hi @lieser,

I had a look on your committed fixes to the master branch from the weekend.
As far as I can see, you mainly improved parsing from and list-id fields in your custom parsing functions and added better error messages if these functions fail.

In the 2.x branch Thunderbird's own function msgHeaderParser.extractHeaderAddressMailboxes() is used to do the header address parsing.

The Thunderbird method seems much more relaxed and will also return wrong formatted addresses / ids. So, I'd need to implement some tests on the result, to get a stricter checking of the fields to resemble the reults in the master branch's functions.

Do you think, I should try to change the 2.x code? At the moment it seems to be more tolerant about wrong formatted headers, but therefore the error messages aren't as good as in the master branch.

[lieser]

I do not think backporting is worth the effort. I would be surprised if the relaxed parsing from Thunderbird could be used in an actual attack.

The reason why the current parsing is so strict:

• Simply rejecting bad headers makes it simpler to ensure that the wrong think is not extracted (e.g. from "bar@bad.com" <foo@example.com>). I would assume that Thunderbird's relaxed parsing would still prevent this.
• I personally prefer to default to being strict about what to accept (https://datatracker.ietf.org/doc/html/draft-iab-protocol-maintenance-04)

Also note that current parsing of the from has also one big disadvantage: It is incomplete, and does not accept all possible obsolete but valid from headers.

And the better error message for failing the from parsing does not bring anything unless you start to encounter mails there is actually fails. Which is probably very unlikely with Thunderbird's own parsing.

In general about the backporting:
I will try to remember to ping you if I encounter a bug that affects the 2.x version and is critical.
You should otherwise mainly focus on bugs that affect you personally. Or new features that you want, but backporting these will probably be more effort than bugfixes.
Looking at https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/statistics/usage/versions/?last=30, it unfortunately looks like not many picked up the 2.2.1 version.

[dodmi]

Thank you for the detailed explanation.

Yes, I'll focus on problems, that occur in my installation. But your addon has been working very well for years.
I gladly provide my fixes for all users, which are still using the old Thunderbird, too. But I'm not looking for download numbers, I'm doing this for myself - as long as I'll be using it.