From oss-security Tue Apr 30 22:48:23 2024 From: Steffen Nurpmeso Date: Tue, 30 Apr 2024 22:48:23 +0000 To: oss-security Subject: Re: [oss-security] New SMTP smuggling attack Message-Id: <20240430224823.uA8Nr1Cp () steffen%sdaoden ! eu> X-MARC-Message: https://marc.info/?l=oss-security&m=171451778103517 Mark Esler wrote in : |To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs |should comply with RFC 5321 section 4.1.1.4 [0] to strip control |characters other than , , , and in the DATA section of |SMTP messages. Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel this entire thread is exaggerating. The smuggling problem solely was rooted in the LF / CRLF "wars" from at minimum the early 70s (Unix and more), with terminal drivers doing auto-translation on-the-fly etc etc etc. The internet history list may be worthwhile for this, or examining the history of Unix programs. Ie, in January i also (funny) talked to John Klensin on an IETF list saying [.]The CR/LF "problem" seems to have been "addressed" in UNIX as early as 1972, ie "6/12/72 STTY (II)" gives 020 map CR into LF; echo LF or CR as LF-CR ... Mode 020 causes input carriage returns to be turned into new-lines; input of either CR or LF causes LF-CR both to be echoed (used for GE TermiNet 300's and other terminals without the newline function). In 1974 it became -nl allow carriage return for new-line, and output CR-LF for carriage return or new-line nl accept only new-line to end lines Which makes me *think* that "Houston, we have a problem" was ACKnowledged, and in order not to be a crook something would have been done about it, saving even a byte per line. But i do not know, this was all military and other high sphere academics by then. Interesting, by the way, that "so many" expensive decisions were deemed necessary[.] --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)