[exim-dev] [Bug 3099] New: Incorrect parsing of multiline rf…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Bugzilla
Ημερομηνία:  
Προς: exim-dev
Αντικείμενο: [exim-dev] [Bug 3099] New: Incorrect parsing of multiline rfc2231 header filename
https://bugs.exim.org/show_bug.cgi?id=3099

            Bug ID: 3099
           Summary: Incorrect parsing of multiline rfc2231 header filename
           Product: Exim
           Version: 4.97
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: phillip-sz@???
                CC: exim-dev@???


[This bug can be a potential security issue for users that have implemented a
extension block list via matching with $mime_filename, because the filename is
not parsed correctly and omits the relevant last part of the filename]

Overview: When a multiline RFC2231 filename (see
https://datatracker.ietf.org/doc/html/rfc2231#section-3) in the header of a
mail attachment is used exim does not correctly parse the filename, but only
populate the first part in $mime_filename.

Steps to Reproduce:

1. use the following config:

acl_smtp_mime = acl_check_mime

begin acl
acl_check_mime:
    warn decode = default
    warn log_message = mimewarn: $mime_part_count $mime_filename


2. receive a mail containing the following rfc2231 header:

MIME-Version: 1.0
Content-Type: application/pdf;

name*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pd;
        name*1=f
Content-Disposition: attachment;


filename*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
        filename*1=x.pdf
Content-Transfer-Encoding: base64



Actual Results:

In the debugging output and log, $mime_filename is shown as
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx":


Found Content-Type: header - executing acl_smtp_mime.
MIME: found content-type: header, value is 'application/pdf'
MIME:   considering paramlist
'name*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pd;name*1=f;'
MIME:   considering paramlist 'name*1=f;'
MIME: found content-disposition: header, value is 'attachment'
MIME:   considering paramlist
'filename*0*=iso-8859-1''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;filename*1=x.pdf;'
MIME:    charset iso-8859-1 fname
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MIME:    2047-name
=?iso-8859-1?Q?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?=
MIME:    plain-name xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MIME:  found filename parameter in content-disposition: header, value is
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MIME: found content-transfer-encoding: header, value is 'base64'
using ACL "acl_check_mime"



The code in https://git.exim.org/exim.git/blob/HEAD:/src/src/mime.c does not
forward multiline filenames to $mime_filename correctly.

Expected Results:

$mime_filename should be
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pdf"

Build Date & Hardware/Additional Builds and Platforms:

Possibly all exim Version, tested on ubuntu 24.04, with exim 4.97 #2 built
31-Mar-2024

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/