[exim-cvs] Account properly for quoted or 2047-encoded MIME …

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Account properly for quoted or 2047-encoded MIME parameters while walking headers. Bug 1558
Gitweb: http://git.exim.org/exim.git/commitdiff/5c6cf6a0d5cb7da39e7fde01dca1ff862c1fa1c8
Commit:     5c6cf6a0d5cb7da39e7fde01dca1ff862c1fa1c8
Parent:     30079bc1d20c0473d012ef33654358cfadb0a2ff
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Dec 14 15:15:34 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Dec 14 15:15:34 2014 +0000


    Account properly for quoted or 2047-encoded MIME parameters while walking headers. Bug 1558
---
 src/src/mime.c                  |  103 +++++++++++++++++++++------------------
 test/log/4000                   |    3 +
 test/mail/4000.userx            |   38 ++++++++++++++
 test/scripts/4000-scanning/4000 |   29 +++++++++++
 test/stdout/4000                |   11 ++++
 5 files changed, 137 insertions(+), 47 deletions(-)


diff --git a/src/src/mime.c b/src/src/mime.c
index ab701f2..a61e9f2 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -528,26 +528,24 @@ while(1)
    */
   if (context != NULL)
     {
-    while(fgets(CS header, MIME_MAX_HEADER_SIZE, f) != NULL)
+    while(fgets(CS header, MIME_MAX_HEADER_SIZE, f))
       {
       /* boundary line must start with 2 dashes */
-      if (Ustrncmp(header,"--",2) == 0)
-        {
-    if (Ustrncmp((header+2),context->boundary,Ustrlen(context->boundary)) == 0)
+      if (  Ustrncmp(header, "--", 2) == 0
+     && Ustrncmp(header+2, context->boundary, Ustrlen(context->boundary)) == 0)
+    {
+    /* found boundary */
+    if (Ustrncmp((header+2+Ustrlen(context->boundary)), "--", 2) == 0)
       {
-      /* found boundary */
-      if (Ustrncmp((header+2+Ustrlen(context->boundary)),"--",2) == 0)
-        {
-        /* END boundary found */
-        debug_printf("End boundary found %s\n", context->boundary);
-        return rc;
-        }
-      else
-        debug_printf("Next part with boundary %s\n", context->boundary);
-
-      /* can't use break here */
-      goto DECODE_HEADERS;
+      /* END boundary found */
+      debug_printf("End boundary found %s\n", context->boundary);
+      return rc;
       }
+    else
+      debug_printf("Next part with boundary %s\n", context->boundary);
+
+    /* can't use break here */
+    goto DECODE_HEADERS;
     }
       }
     /* Hit EOF or read error. Ugh. */
@@ -557,92 +555,103 @@ while(1)


 DECODE_HEADERS:
   /* parse headers, set up expansion variables */
-  while (mime_get_header(f,header))
+  while (mime_get_header(f, header))
     {
     int i;
     /* loop through header list */
     for (i = 0; i < mime_header_list_size; i++)
-      {
-      uschar *header_value = NULL;
-      int header_value_len = 0;
-
-      /* found an interesting header? */
-      if (strncmpic(mime_header_list[i].name,header,mime_header_list[i].namelen) == 0)
-    {
-    uschar *p = header + mime_header_list[i].namelen;
-    /* yes, grab the value (normalize to lower case)
-       and copy to its corresponding expansion variable */
+      if (strncmpic(mime_header_list[i].name,
+        header, mime_header_list[i].namelen) == 0)
+    {                /* found an interesting header */
+    uschar * header_value;
+    int header_value_len;
+    uschar * p = header + mime_header_list[i].namelen;
+
+    /* grab the value (normalize to lower case)
+    and copy to its corresponding expansion variable */
     while(*p != ';')
       {
       *p = tolower(*p);
       p++;
       }
-    header_value_len = (p - (header + mime_header_list[i].namelen));
-    header_value = (uschar *)malloc(header_value_len+1);
-    memset(header_value,0,header_value_len+1);
+    header_value_len = p - (header + mime_header_list[i].namelen);
     p = header + mime_header_list[i].namelen;
-    Ustrncpy(header_value, p, header_value_len);
-    debug_printf("Found %s MIME header, value is '%s'\n", mime_header_list[i].name, header_value);
+    header_value = string_copyn(p, header_value_len);
+    debug_printf("Found %s MIME header, value is '%s'\n",
+            mime_header_list[i].name, header_value);
     *((uschar **)(mime_header_list[i].value)) = header_value;


     /* make p point to the next character after the closing ';' */
-    p += (header_value_len+1);
+    p += header_value_len+1;


-    /* grab all param=value tags on the remaining line, check if they are interesting */
+    /* grab all param=value tags on the remaining line,
+    check if they are interesting */
 NEXT_PARAM_SEARCH:
-    while (*p != 0)
+    while (*p)
       {
       mime_parameter * mp;
       for (mp = mime_parameter_list;
            mp < &mime_parameter_list[mime_parameter_list_size];
            mp++)
         {
-        uschar *param_value = NULL;
-        int param_value_len = 0;
+        uschar * param_value = NULL;


         /* found an interesting parameter? */
         if (strncmpic(mp->name, p, mp->namelen) == 0)
           {
-          uschar *q = p + mp->namelen;
+          uschar * q = p + mp->namelen;
+          int plen = 0;
           int size = 0;
           int ptr = 0;


           /* yes, grab the value and copy to its corresponding expansion variable */
           while(*q && *q != ';')        /* ; terminates */
-        {
         if (*q == '"')
           {
           q++;                /* skip leading " */
-          while(*q && *q != '"')    /* which protects ; */
+          plen++;            /* and account for the skip */
+          while(*q && *q != '"')    /* " protects ; */
+            {
             param_value = string_cat(param_value, &size, &ptr, q++, 1);
-          if (*q) q++;            /* skip trailing " */
+            plen++;
+            }
+          if (*q)
+            {
+            q++;            /* skip trailing " */
+            plen++;
+            }
           }
         else
+          {
           param_value = string_cat(param_value, &size, &ptr, q++, 1);
-        }
+          plen++;
+          }
+
           if (param_value)
         {
         param_value[ptr++] = '\0';
-        param_value_len = ptr;


         param_value = rfc2047_decode(param_value,
-              check_rfc2047_length, NULL, 32, &param_value_len, &q);
+              check_rfc2047_length, NULL, 32, NULL, &q);
         debug_printf("Found %s MIME parameter in %s header, "
               "value is '%s'\n", mp->name, mime_header_list[i].name,
               param_value);
         }
           *mp->value = param_value;
-          p += (mp->namelen + param_value_len + 1);
+          p += mp->namelen + plen + 1;    /* name=, content, ; */
           goto NEXT_PARAM_SEARCH;
         }
       }
       /* There is something, but not one of our interesting parameters.
          Advance to the next semicolon */
-      while(*p != ';') p++;
+      while(*p != ';')
+        {
+        if (*p == '"') while(*++p && *p != '"') ;
+        p++;
+        }
       p++;
     }
       }
-    }
   }


/* set additional flag variables (easier access) */
diff --git a/test/log/4000 b/test/log/4000
index c5d503a..a6f5d2f 100644
--- a/test/log/4000
+++ b/test/log/4000
@@ -4,3 +4,6 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@???> R=r1 T=t1
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@???> R=r1 T=t1
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
diff --git a/test/mail/4000.userx b/test/mail/4000.userx
index ec9b2cb..725770d 100644
--- a/test/mail/4000.userx
+++ b/test/mail/4000.userx
@@ -180,3 +180,41 @@ foobar

--T4sUOijqQbZv57TR--

+From CALLER@??? Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test.ex)
+    by myhost.test.ex with local-esmtp (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmaZ-0005vi-00
+    for userx@???; Tue, 2 Mar 1999 09:44:33 +0000
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+From: J Caesar <jcaesar@???>
+To: a-list00@???
+Message-ID: <20041217133501.GA3059@???>
+Mime-Version: 1.0
+Content-Type: text/html;
+        charset=UTF-8;
+        name=""
+Content-Disposition: inline
+Subject: Nasty
+Sender: CALLER_NAME <CALLER@???>
+X-0-content-type: text/html
+X-0-filename: 
+X-0-charset: UTF-8
+X-0-boundary: 
+X-0-content-disposition: inline
+X-0-content-transfer-encoding: 
+X-0-content-id: 
+X-0-content-description: 
+X-0-is-multipart: 0
+X-0-is-coverletter: 1
+X-0-is-rfc822: 0
+X-0-decode-filename: TESTSUITE/spool/scan/10HmaZ-0005vi-00/10HmaZ-0005vi-00-00000
+X-0-content-size: 1
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+
diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000
index 649f982..2f760bc 100644
--- a/test/scripts/4000-scanning/4000
+++ b/test/scripts/4000-scanning/4000
@@ -97,3 +97,32 @@ foobar
 .
 quit
 ****
+#
+#
+# This one has a different rotten parameter, but should not induce a crash
+#
+exim -odi -bs
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@???>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+From: J Caesar <jcaesar@???>
+To: a-list00@???
+Message-ID: <20041217133501.GA3059@???>
+Mime-Version: 1.0
+Content-Type: text/html;
+        charset=UTF-8;
+        name=""
+Content-Disposition: inline
+Subject: Nasty
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+.
+quit
+****
diff --git a/test/stdout/4000 b/test/stdout/4000
index 789a8fe..42d2eef 100644
--- a/test/stdout/4000
+++ b/test/stdout/4000
@@ -20,3 +20,14 @@
 354 Enter message, ending with "." on a line by itself
 250 OK id=10HmaY-0005vi-00
 221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaZ-0005vi-00
+221 myhost.test.ex closing connection