32 lines
918 B
Plaintext
32 lines
918 B
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Use an email library which sanitizes headers (java.mail >= 1.5.6).
|
|
* Use html escape functions to sanitize every piece of data used to in the email body.
|
|
* Verify application logic to make sure that email base feature can not be abuse to:
|
|
** Send arbitrary email for spamming or fishing
|
|
** Disclose sensitive email content
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
import javax.mail.*;
|
|
import javax.mail.internet.MimeMessage;
|
|
|
|
public class Main {
|
|
public static void sendEmail (Session session, String subject) throws MessagingException{
|
|
Message message = new MimeMessage(session); // Sensitive
|
|
|
|
// For example the setSubject method is vulnerable to Header injection before
|
|
// version 1.5.6 of javamail
|
|
message.setSubject(subject);
|
|
// ...
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|