Projects
Eulaceura:Mainline:GA
exim
_service:obs_scm:backport-bug3099-MIME-support-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:backport-bug3099-MIME-support-RFC-2331-for-name.patch of Package exim
From 1b3209b0577a9327ebb076f3b32b8a159c253f7b Mon Sep 17 00:00:00 2001 From: Jeremy Harris <jgh146exb@wizmail.org> Date: Tue, 2 Jul 2024 14:41:19 +0100 Subject: [PATCH] MIME: support RFC 2331 for name=. Bug 3099 --- doc/ChangeLog | 2 + src/mime.c | 181 ++++++++++++++++++++++++++------------------------ 2 files changed, 96 insertions(+), 87 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 635f408..5d8b2a1 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -223,6 +223,8 @@ JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses. JH/45 Bug 3099: fix parsing of MIME filenames split over multiple paramemters. Previously the $mime_filename variable would have an incorrect value. + While in the code, extend coverage to name= which previously was only + supported for single parameters, despite also filling in $mime_filename. HS/02 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031) diff --git a/src/mime.c b/src/mime.c index 5f9e1ad..8044bb3 100644 --- a/src/mime.c +++ b/src/mime.c @@ -30,10 +30,10 @@ static int mime_header_list_size = nelem(mime_header_list); static mime_parameter mime_parameter_list[] = { /* name namelen value */ - { US"name=", 5, &mime_filename }, - { US"filename=", 9, &mime_filename }, - { US"charset=", 8, &mime_charset }, - { US"boundary=", 9, &mime_boundary } + { US"name", 4, &mime_filename }, + { US"filename", 8, &mime_filename }, + { US"charset", 7, &mime_charset }, + { US"boundary", 8, &mime_boundary } }; @@ -577,8 +577,8 @@ while(1) if (*(p = q)) p++; /* jump past the ; */ { - uschar * mime_fname = NULL; - uschar * mime_fname_rfc2231 = NULL; + gstring * mime_fname = NULL; + gstring * mime_fname_rfc2231 = NULL; uschar * mime_filename_charset = NULL; BOOL decoding_failed = FALSE; @@ -590,90 +590,92 @@ while(1) DEBUG(D_acl) debug_printf_indent("MIME: considering paramlist '%s'\n", p); - if ( strncmpic(CUS"content-disposition:", header, 20) == 0 - && strncmpic(CUS"filename*", p, 9) == 0 - ) - { /* RFC 2231 filename */ - uschar * q; - - /* find value of the filename */ - p += 9; - while(*p != '=' && *p) p++; - if (*p) p++; /* p is filename or NUL */ - q = mime_param_val(&p); /* p now trailing ; or NUL */ - - if (q && *q) + /* look for interesting parameters */ + for (mime_parameter * mp = mime_parameter_list; + mp < mime_parameter_list + nelem(mime_parameter_list); + mp++ + ) if (strncmpic(mp->name, p, mp->namelen) == 0) + { + p += mp->namelen; + if (*p == '*') /* RFC 2231 */ { - uschar * temp_string, * err_msg, * fname = q; - int slen; - - /* build up an un-decoded filename over successive - filename*= parameters (for use when 2047 decode fails) */ -/*XXX could grow a gstring here */ - - mime_fname_rfc2231 = string_sprintf("%#s%s", - mime_fname_rfc2231, q); - - if (!decoding_failed) + while (isdigit(*++p)) ; /* ignore cont-cnt values */ + if (*p == '*') p++; /* step over sep chset mark */ + if (*p == '=') { - int size; - if (!mime_filename_charset) + uschar * q; + p++; /* step over = */ + q = mime_param_val(&p); /* p now trailing ; or NUL */ + + if (q && *q) /* q is the dequoted value */ { - uschar * s = q; + uschar * err_msg, * fname = q; + int slen; + + /* build up an un-decoded filename over successive + filename*= parameters (for use when 2047 decode fails) */ - /* look for a ' in the "filename" */ - while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ + mime_fname_rfc2231 = string_cat(mime_fname_rfc2231, q); - if (*s) /* there was a ' */ + if (!decoding_failed) { - if ((size = s-q) > 0) - mime_filename_charset = string_copyn(q, size); - - if (*(fname = s)) fname++; - while(*fname == '\'') fname++; /* fname is after 2nd ' */ - } - } - - DEBUG(D_acl) - debug_printf_indent("MIME: charset %s fname '%s'\n", - mime_filename_charset ? mime_filename_charset : US"<NULL>", - fname); - - temp_string = rfc2231_to_2047(fname, mime_filename_charset, - &slen); - DEBUG(D_acl) - debug_printf_indent("MIME: 2047-name %s\n", temp_string); - - temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', - NULL, &err_msg); - DEBUG(D_acl) - debug_printf_indent("MIME: plain-name %s\n", temp_string); - - if (!temp_string || (size = Ustrlen(temp_string)) == slen) - decoding_failed = TRUE; - else - /* build up a decoded filename over successive - filename*= parameters */ - - mime_filename = mime_fname = mime_fname - ? string_sprintf("%s%s", mime_fname, temp_string) - : temp_string; - } /*!decoding_failed*/ - } /*q*/ - } /*2231 filename*/ - - else - /* look for interesting parameters */ - for (mime_parameter * mp = mime_parameter_list; - mp < mime_parameter_list + nelem(mime_parameter_list); - mp++ - ) if (strncmpic(mp->name, p, mp->namelen) == 0) - { - uschar * q; - uschar * dummy_errstr; + if (!mime_filename_charset) + { /* try for RFC 2231 chset/lang */ + uschar * s = q; + + /* look for a ' in the raw paramval */ + while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ + + if (*s) /* there was a ' */ + { + int size; + if ((size = s-q) > 0) + mime_filename_charset = string_copyn(q, size); + + if (*(fname = s)) fname++; + while(*fname == '\'') fname++; /*fname is after 2nd '*/ + } + } + + DEBUG(D_acl) + debug_printf_indent("MIME: charset %s fname '%s'\n", + mime_filename_charset ? mime_filename_charset : US"<NULL>", + fname); + + fname = rfc2231_to_2047(fname, mime_filename_charset, + &slen); + DEBUG(D_acl) + debug_printf_indent("MIME: 2047-name %s\n", fname); + + fname = rfc2047_decode(fname, FALSE, NULL, ' ', + NULL, &err_msg); + DEBUG(D_acl) debug_printf_indent( + "MIME: plain-name %s\n", fname); + + if (!fname || Ustrlen(fname) == slen) + decoding_failed = TRUE; + else if (mp->value == &mime_filename) + { + /* build up a decoded filename over successive + filename*= parameters */ + + mime_fname = string_cat(mime_fname, fname); + mime_filename = string_from_gstring(mime_fname); + } + } /*!decoding_failed*/ + } /*q*/ + + if (*p) p++; /* p is past ; */ + goto param_done; /* done matching param names */ + } /*2231 param coding extension*/ + } + else if (*p == '=') + { /* non-2231 param */ + uschar * q, * dummy_errstr; /* grab the value and copy to its expansion variable */ - p += mp->namelen; + + if (*p) p++; /* step over = */ q = mime_param_val(&p); /* p now trailing ; or NUL */ *mp->value = q && *q @@ -684,26 +686,31 @@ while(1) "MIME: found %s parameter in %s header, value '%s'\n", mp->name, mh->name, *mp->value); - break; /* done matching param names */ + if (*p) p++; /* p is past ; */ + goto param_done; /* done matching param names */ } - + } /* interesting parameters */ /* There is something, but not one of our interesting parameters. Advance past the next semicolon */ + p = mime_next_semicolon(p); if (*p) p++; - } /* param scan on line */ + param_done: + } /* param scan on line */ if (strncmpic(CUS"content-disposition:", header, 20) == 0) { - if (decoding_failed) mime_filename = mime_fname_rfc2231; + if (decoding_failed) + mime_filename = string_from_gstring(mime_fname_rfc2231); DEBUG(D_acl) debug_printf_indent( "MIME: found %s parameter in %s header, value is '%s'\n", "filename", mh->name, mime_filename); } } - } + break; + } /* interesting headers */ /* set additional flag variables (easier access) */ if ( mime_content_type -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2