https://bugs.exim.org/show_bug.cgi?id=3099
Bug ID: 3099
Summary: Incorrect parsing of multiline rfc2231 header filename
Product: Exim
Version: 4.97
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: medium
Component: ACLs
Assignee: jgh146exb@???
Reporter: phillip-sz@???
CC: exim-dev@???
[This bug can be a potential security issue for users that have implemented a
extension block list via matching with $mime_filename, because the filename is
not parsed correctly and omits the relevant last part of the filename]
Overview: When a multiline RFC2231 filename (see
https://datatracker.ietf.org/doc/html/rfc2231#section-3) in the header of a
mail attachment is used exim does not correctly parse the filename, but only
populate the first part in $mime_filename.
Steps to Reproduce:
1. use the following config:
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
warn decode = default
warn log_message = mimewarn: $mime_part_count $mime_filename
2. receive a mail containing the following rfc2231 header:
MIME-Version: 1.0
Content-Type: application/pdf;
name*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pd;
name*1=f
Content-Disposition: attachment;
filename*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
filename*1=x.pdf
Content-Transfer-Encoding: base64
Actual Results:
In the debugging output and log, $mime_filename is shown as
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx":
Found Content-Type: header - executing acl_smtp_mime.
MIME: found content-type: header, value is 'application/pdf'
MIME: considering paramlist
'name*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pd;name*1=f;'
MIME: considering paramlist 'name*1=f;'
MIME: found content-disposition: header, value is 'attachment'
MIME: considering paramlist
'filename*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;filename*1=x.pdf;'
MIME: charset iso-8859-1 fname
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MIME: 2047-name
=?iso-8859-1?Q?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?=
MIME: plain-name xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MIME: found filename parameter in content-disposition: header, value is
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MIME: found content-transfer-encoding: header, value is 'base64'
using ACL "acl_check_mime"
The code in
https://git.exim.org/exim.git/blob/HEAD:/src/src/mime.c does not
forward multiline filenames to $mime_filename correctly.
Expected Results:
$mime_filename should be
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pdf"
Build Date & Hardware/Additional Builds and Platforms:
Possibly all exim Version, tested on ubuntu 24.04, with exim 4.97 #2 built
31-Mar-2024
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
