[exim-cvs] MIME: recode 2231-to-2047 safely. Bug 466

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] MIME: recode 2231-to-2047 safely. Bug 466
Gitweb: http://git.exim.org/exim.git/commitdiff/627d1a1b61d9c535835221afcbe1b9cd6548cd3b
Commit:     627d1a1b61d9c535835221afcbe1b9cd6548cd3b
Parent:     f846c8f531d5615c24a6d4dc0afb9815c4f766f7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Apr 26 16:25:11 2015 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Apr 26 16:25:11 2015 +0100


    MIME: recode 2231-to-2047 safely.  Bug 466


    The original expansion was vulnerable to odd filenames.
---
 src/src/mime.c |   32 +++++++++++++++++++++++++++-----
 1 files changed, 27 insertions(+), 5 deletions(-)


diff --git a/src/src/mime.c b/src/src/mime.c
index aeab33d..6bffa78 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -543,6 +543,32 @@ return s;
}


+static uschar *
+rfc2231_to_2047(const uschar * fname, const uschar * charset, int * len)
+{
+int size = 0, ptr = 0;
+uschar * val = string_cat(NULL, &size, &ptr, US"=?", 2);
+uschar c;
+
+val = string_cat(val, &size, &ptr, charset, Ustrlen(charset));
+val = string_cat(val, &size, &ptr, US"?Q?", 3);
+
+while ((c = *fname))
+  if (c == '%' && isxdigit(fname[1]) && isxdigit(fname[2]))
+    {
+    val = string_cat(val, &size, &ptr, US"=", 1);
+    val = string_cat(val, &size, &ptr, ++fname, 2);
+    fname += 2;
+    }
+  else
+    val = string_cat(val, &size, &ptr, fname++, 1);
+
+val = string_cat(val, &size, &ptr, US"?=", 2);
+val[*len = ptr] = '\0';
+return val;
+}
+
+
 int
 mime_acl_check(uschar *acl, FILE *f, struct mime_boundary_context *context,
     uschar **user_msgptr, uschar **log_msgptr)
@@ -689,11 +715,7 @@ while(1)
         else
           p = q;


-        temp_string = expand_string(string_sprintf(
-          "=?%s?Q?${sg{%s}{\\N%%([\\dA-Fa-f]{2})\\N}{=\\$1}}?=",
-          mime_filename_charset, p));
-        slen = Ustrlen(temp_string);
-
+        temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);
         temp_string = rfc2047_decode(temp_string, FALSE, NULL, 32,
           NULL, &err_msg);
         size = Ustrlen(temp_string);