Fix parsing of quoted parameter values in MIME headers. Bug 1513
authorJeremy Harris <jgh146exb@wizmail.org>
Wed, 30 Jul 2014 20:42:38 +0000 (21:42 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Wed, 30 Jul 2014 20:42:38 +0000 (21:42 +0100)
src/src/mime.c

index 6a9e31a0aa5e5aaf20a5868956c435cb316c431d..95d3da4723cf5de2115014dfebb73ae728639ac0 100644 (file)
@@ -601,16 +601,28 @@ NEXT_PARAM_SEARCH:
            int param_value_len = 0;
 
            /* found an interesting parameter? */
            int param_value_len = 0;
 
            /* found an interesting parameter? */
-           if (strncmpic(mp->name, p,mp->namelen) == 0)
+           if (strncmpic(mp->name, p, mp->namelen) == 0)
              {
              uschar *q = p + mp->namelen;
              {
              uschar *q = p + mp->namelen;
+             int size = 0;
+             int ptr = 0;
+
              /* yes, grab the value and copy to its corresponding expansion variable */
              /* yes, grab the value and copy to its corresponding expansion variable */
-             while(*q != ';') q++;
-             param_value_len = (q - (p + mp->namelen));
-             param_value = (uschar *)malloc(param_value_len+1);
-             memset(param_value,0,param_value_len+1);
-             q = p + mp->namelen;
-             Ustrncpy(param_value, q, param_value_len);
+             while(*q && *q != ';')            /* ; terminates */
+               {
+               if (*q == '"')
+                 {
+                 q++;                          /* skip leading " */
+                 while(*q && *q != '"')        /* which protects ; */
+                   param_value = string_cat(param_value, &size, &ptr, q++, 1);
+                 if (*q) q++;                  /* skip trailing " */
+                 }
+               else
+                 param_value = string_cat(param_value, &size, &ptr, q++, 1);
+               }
+             param_value[ptr++] = '\0';
+             param_value_len = ptr;
+
              param_value = rfc2047_decode(param_value, check_rfc2047_length, NULL, 32, &param_value_len, &q);
              debug_printf("Found %s MIME parameter in %s header, value is '%s'\n", mp->name, mime_header_list[i].name, param_value);
              *((uschar **)(mp->value)) = param_value;
              param_value = rfc2047_decode(param_value, check_rfc2047_length, NULL, 32, &param_value_len, &q);
              debug_printf("Found %s MIME parameter in %s header, value is '%s'\n", mp->name, mime_header_list[i].name, param_value);
              *((uschar **)(mp->value)) = param_value;