Merge tag '1.14.3' into develop

Closes #352
TheHive-Project · Nov 28, 2018 · 3c7787b · 3c7787b
2 parents 93148b8 + 2d5034e
commit 3c7787b
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/analyzers/EmlParser/parse.py b/analyzers/EmlParser/parse.py
@@ -6,6 +6,7 @@
 import magic
 import binascii
 import hashlib
+import base64
 from pprint import pprint
 
 class EmlParserAnalyzer(Analyzer):
@@ -80,7 +81,21 @@ def parseEml(filepath):
     result['topic'] = ', '.join(parsed_eml.get('header', '').get('header', '').get('thread-topic', ''))
     result['bcc'] = parsed_eml.get('header', '').get('header', '').get('bcc', '')
     result['displayto'] = ', '.join(parsed_eml.get('header', '').get('header', '').get('to', ''))
-    result['body'] = parsed_eml['body'][0]['content']
+
+    #for some emails, the body field is empty because the email body is
+    #identified as an attachment
+    if parsed_eml['body']:
+        #normal case
+        result['body'] = parsed_eml['body'][0]['content']
+    else:
+        #email body is in attachment
+        #from what I've seen, there are 2 attachments
+        #one with the email body as text
+        #and one with the email body as text but wrapped in html
+        #let's arbitrary take the one wrapped in html as body
+        for attachment in parsed_eml['attachment']:
+            if 'HTML text' in attachment['content_header']['content-description']:
+                result['body'] = base64.b64decode(attachment['raw']).decode('utf-8')
 
     #attachments
     try: