Breaking signatures in message/rfc822 attachement!

Here is the email signed by myself and broken
after delivery through mailman. Check the "To:" header line.

This is not limited to message/rfc822 at all:

As a specific example, create a message with an attachment
and add the header
Content-Disposition: attachment; filename="more-than-70-chars.
txt"
(all in a single line), then send it through a mailman-managed ml.
Result: mailman "fixes" the message to look like
Content-Disposition: attachment;
\tfilename="more-than-70-chars.txt"

It even does that inside a multipart/signed part, and this is
where it breaks the signature verification.

I have created a patch to address the problem.

[ 933757 ] fix for [815297] signatures break
https://sourceforge.net/tracker/index.php?func=detail&aid=933757&group_id=103&atid=300103

There is another possibility when
mailman breaks the signature and that is
when the signed part contains
an empty header with _two_ spaces after
the colon, like forward and sign an email with

X-Empty-Header-with-two-spaces:<space><space>

patch 933757 does not remedy this, though.

This is still a serious bug.
I guess that the real fix will be to rewrite the email
and mime handling classes to at least additionally save
an original version of the different email parts
without stripping and further formatting.

Originator: NO

It may be that bug number 1605144 is also related as that too is caused by
headers being wrapped by the Python email module automatically wrapping
headers at 78 characters.

This is certainly breaking my PGP/MIME messages being sent from KMail
through Mailman, and shows up in the MIME headers being wrapped and the
original headers in attached message/rfc822 attachments getting munged.

For example:

@@ -56,7 +103,9 @@
 Content-Type: message/rfc822;
   name="forwarded message"
 Content-Transfer-Encoding: 7bit
-Content-Description: "Rachana Ananthakrishnan" <email address hidden>:
[security-announce] Globus Security Advisory 2007-02: GSI-OpenSSH
vulnerability
+Content-Description: "Rachana Ananthakrishnan" <email address hidden>:
+ [security-announce] Globus Security Advisory 2007-02:
+ GSI-OpenSSH vulnerability
 Content-Disposition: inline

and, further on:

 Received: from localhost (localhost [127.0.0.1])
        by mailbouncer.mcs.anl.gov (Postfix) with ESMTP id 73FB112AC5
- for <email address hidden>; Mon, 9 Apr
2007 10:23:46 -0500 (CDT)
+ for <email address hidden>;
+ Mon, 9 Apr 2007 10:23:46 -0500 (CDT)
 Received: from mcs.anl.gov (cliff.mcs.anl.gov [140.221.9.17])

As I wrote in my comment on bug 1605144 it appears that by passing through
maxheaderlen set to 0 to all calls of Generator in the email module then
you shouldn't get this wrapping behaviour, though I don't know when this
appeared in Python.

Note that 1605144 in the above comment refers to sourceforge <http://sourceforge.net/tracker/index.php?func=detail&aid=1605144&group_id=103&atid=100103> which is LP bug 266375.

Does the patch address the problem of spaces in header lines?
(See my comment from 2004-05-11, lines like
X-Empty-Header-with-two-spaces:<space><space>)
From the changes in the 2.1 branch I think it does not.

Bernhard E. Reiter wrote:

>Does the patch address the problem of spaces in header lines?
>(See my comment from 2004-05-11, lines like
>X-Empty-Header-with-two-spaces:<space><space>)
>>From the changes in the 2.1 branch I think it does not.

I agree that it does not. It is just a slight refactoring of the Debian
"77_header_folding_in_attachments.patch" (See
<http://patch-tracker.debian.org/package/mailman>). It only addresses
folding of long headers and not escaping unescaped "From " lines.

The underlying issue is in the Python email package in that converting
an email massage from a flat text "on the wire" representation to an
email.Message.Message object and back does not return the exact
original text. This issue will be addressed in the new email 6.0
package, but that won't be available for Mailman for some time.