Gitweb:
http://git.exim.org/exim.git/commitdiff/627d1a1b61d9c535835221afcbe1b9cd6548cd3b
Commit: 627d1a1b61d9c535835221afcbe1b9cd6548cd3b
Parent: f846c8f531d5615c24a6d4dc0afb9815c4f766f7
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Apr 26 16:25:11 2015 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Apr 26 16:25:11 2015 +0100
MIME: recode 2231-to-2047 safely. Bug 466
The original expansion was vulnerable to odd filenames.
---
src/src/mime.c | 32 +++++++++++++++++++++++++++-----
1 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/src/src/mime.c b/src/src/mime.c
index aeab33d..6bffa78 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -543,6 +543,32 @@ return s;
}
+static uschar *
+rfc2231_to_2047(const uschar * fname, const uschar * charset, int * len)
+{
+int size = 0, ptr = 0;
+uschar * val = string_cat(NULL, &size, &ptr, US"=?", 2);
+uschar c;
+
+val = string_cat(val, &size, &ptr, charset, Ustrlen(charset));
+val = string_cat(val, &size, &ptr, US"?Q?", 3);
+
+while ((c = *fname))
+ if (c == '%' && isxdigit(fname[1]) && isxdigit(fname[2]))
+ {
+ val = string_cat(val, &size, &ptr, US"=", 1);
+ val = string_cat(val, &size, &ptr, ++fname, 2);
+ fname += 2;
+ }
+ else
+ val = string_cat(val, &size, &ptr, fname++, 1);
+
+val = string_cat(val, &size, &ptr, US"?=", 2);
+val[*len = ptr] = '\0';
+return val;
+}
+
+
int
mime_acl_check(uschar *acl, FILE *f, struct mime_boundary_context *context,
uschar **user_msgptr, uschar **log_msgptr)
@@ -689,11 +715,7 @@ while(1)
else
p = q;
- temp_string = expand_string(string_sprintf(
- "=?%s?Q?${sg{%s}{\\N%%([\\dA-Fa-f]{2})\\N}{=\\$1}}?=",
- mime_filename_charset, p));
- slen = Ustrlen(temp_string);
-
+ temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);
temp_string = rfc2047_decode(temp_string, FALSE, NULL, 32,
NULL, &err_msg);
size = Ustrlen(temp_string);