#147 Incorrect parsing of whitespace containing policy values
It seems that libopendmarc drops everything after it entcounters whitespace in a DMARC policy value.
This issue causes atleast two problems
- Only the first URI listed( in rua or ruf tags) is considered. Other URIs are simply dropped and never parsed.
- Syntactically incorrect policy records will go unnoticed when the broken syntax occurs after a value's whitespace, potentially leading to unexpected results.
DEMO - MULTIPLE RUA/RUF URIs
DMARC DNS query for pfizer.com - two URIs in both rua and ruf
_dmarc.pfizer.com. 3599 IN TXT "v=DMARC1\; p=none\; rua=mailto:pfizer@rua.agari.com, mailto:dmarc.rua@pfizer.com\; ruf=mailto:pfizer@ruf.agari.com, mailto:dmarc.ruf@pfizer.com"
opendmarc-check pfizer.com - only one URI is found considered in both rua and ruf.
DMARC record for pfizer.com:
Sample percentage: 100
DKIM alignment: relaxed
SPF alignment: relaxed
Domain policy: none
Subdomain policy: unspecified
Aggregate report URIs:
mailto:pfizer@rua.agari.com
Forensic report URIs:
mailto:pfizer@ruf.agari.com
DEMO - UNNOTICED POLICY ERRORS
The policy v=DMARC1; p=none rua=mailto:thomas@example.com; ruf=mailto:thomas@example.com; is broken (no semi-colon). Currently, opendmarc will just accept this policy and the rua field will be ignored (as it was dropped).
CAUSE
opendmarc_policy_parse_dmarc calls opendmarc_util_cleanup on tag values it extracts from the DMARC record (line 909 libopendmarc/opendmarc_policy.c). There, opendmarc_util_cleanup drops everything after the whitespace, and thus the second part of the tag's value is lost.
Here is a quick patch of opendmarc_util_cleanup (in opendmarc_util.c) that preserves the whitespace within tag names and tag values and should solve the issues raised above. (Patch credits go to Job Noorman)
Patch applied for 1.3.2.
v1.3.2 released.