summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2015-04-26 16:25:11 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2015-04-26 16:25:11 +0100
commit627d1a1b61d9c535835221afcbe1b9cd6548cd3b (patch)
tree35f6b8e592c25c88e7c31bc8a1fead0c26e81479
parentf846c8f531d5615c24a6d4dc0afb9815c4f766f7 (diff)
MIME: recode 2231-to-2047 safely. Bug 466
The original expansion was vulnerable to odd filenames.
-rw-r--r--src/src/mime.c32
1 files changed, 27 insertions, 5 deletions
diff --git a/src/src/mime.c b/src/src/mime.c
index aeab33d9c..6bffa7897 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -543,6 +543,32 @@ return s;
}
+static uschar *
+rfc2231_to_2047(const uschar * fname, const uschar * charset, int * len)
+{
+int size = 0, ptr = 0;
+uschar * val = string_cat(NULL, &size, &ptr, US"=?", 2);
+uschar c;
+
+val = string_cat(val, &size, &ptr, charset, Ustrlen(charset));
+val = string_cat(val, &size, &ptr, US"?Q?", 3);
+
+while ((c = *fname))
+ if (c == '%' && isxdigit(fname[1]) && isxdigit(fname[2]))
+ {
+ val = string_cat(val, &size, &ptr, US"=", 1);
+ val = string_cat(val, &size, &ptr, ++fname, 2);
+ fname += 2;
+ }
+ else
+ val = string_cat(val, &size, &ptr, fname++, 1);
+
+val = string_cat(val, &size, &ptr, US"?=", 2);
+val[*len = ptr] = '\0';
+return val;
+}
+
+
int
mime_acl_check(uschar *acl, FILE *f, struct mime_boundary_context *context,
uschar **user_msgptr, uschar **log_msgptr)
@@ -689,11 +715,7 @@ while(1)
else
p = q;
- temp_string = expand_string(string_sprintf(
- "=?%s?Q?${sg{%s}{\\N%%([\\dA-Fa-f]{2})\\N}{=\\$1}}?=",
- mime_filename_charset, p));
- slen = Ustrlen(temp_string);
-
+ temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);
temp_string = rfc2047_decode(temp_string, FALSE, NULL, 32,
NULL, &err_msg);
size = Ustrlen(temp_string);