From 622dbd6a512d2c7786125e3b80e96a43e54b8e90 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 25 Nov 2015 17:49:03 +0000 Subject: [PATCH] MIME: fix crash on filenames having null charset. Bug 1730 --- src/src/mime.c | 39 +++++++++++++++++++-------------- test/log/4000 | 5 ++++- test/mail/4000.userx | 39 +++++++++++++++++++++++++++++++++ test/scripts/4000-scanning/4000 | 30 +++++++++++++++++++++++++ test/stdout/4000 | 11 ++++++++++ 5 files changed, 107 insertions(+), 17 deletions(-) diff --git a/src/src/mime.c b/src/src/mime.c index 618364a3e..cc9ffb7c6 100644 --- a/src/src/mime.c +++ b/src/src/mime.c @@ -550,7 +550,8 @@ int size = 0, ptr = 0; uschar * val = string_cat(NULL, &size, &ptr, US"=?", 2); uschar c; -val = string_cat(val, &size, &ptr, charset, Ustrlen(charset)); +if (charset) + val = string_cat(val, &size, &ptr, charset, Ustrlen(charset)); val = string_cat(val, &size, &ptr, US"?Q?", 3); while ((c = *fname)) @@ -607,7 +608,7 @@ while(1) if (!fgets(CS header, MIME_MAX_HEADER_SIZE, f)) { /* Hit EOF or read error. Ugh. */ - DEBUG(D_acl) debug_printf("Hit EOF ...\n"); + DEBUG(D_acl) debug_printf("MIME: Hit EOF ...\n"); return rc; } @@ -619,12 +620,12 @@ while(1) if (Ustrncmp((header+2+Ustrlen(context->boundary)), "--", 2) == 0) { /* END boundary found */ - DEBUG(D_acl) debug_printf("End boundary found %s\n", + DEBUG(D_acl) debug_printf("MIME: End boundary found %s\n", context->boundary); return rc; } - DEBUG(D_acl) debug_printf("Next part with boundary %s\n", + DEBUG(D_acl) debug_printf("MIME: Next part with boundary %s\n", context->boundary); break; } @@ -648,7 +649,7 @@ while(1) for (q = p; *q != ';' && *q; q++) ; *mh->value = string_copynlc(p, q-p); - DEBUG(D_acl) debug_printf("found %s MIME header, value is '%s'\n", + DEBUG(D_acl) debug_printf("MIME: found %s header, value is '%s'\n", mh->name, *mh->value); if (*(p = q)) p++; /* jump past the ; */ @@ -666,7 +667,7 @@ while(1) { mime_parameter * mp; - DEBUG(D_acl) debug_printf(" considering paramlist '%s'\n", p); + DEBUG(D_acl) debug_printf("MIME: considering paramlist '%s'\n", p); if ( !mime_filename && strncmpic(CUS"content-disposition:", header, 20) == 0 @@ -700,22 +701,27 @@ while(1) uschar * s = q; /* look for a ' in the "filename" */ - while(*s != '\'' && *s) s++; /* s is ' or NUL */ + while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ if ((size = s-q) > 0) - { mime_filename_charset = string_copyn(q, size); - p = s; - while(*p == '\'' && *p) p++; /* p is after ' */ - } + if (*(p = s)) p++; + while(*p == '\'') p++; /* p is after 2nd ' */ } else p = q; + DEBUG(D_acl) debug_printf("MIME: charset %s fname '%s'\n", + mime_filename_charset ? mime_filename_charset : US"", p); + temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen); - temp_string = rfc2047_decode(temp_string, FALSE, NULL, 32, + DEBUG(D_acl) debug_printf("MIME: 2047-name %s\n", temp_string); + + temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', NULL, &err_msg); + DEBUG(D_acl) debug_printf("MIME: plain-name %s\n", temp_string); + size = Ustrlen(temp_string); if (size == slen) @@ -750,7 +756,7 @@ while(1) &dummy_errstr) : NULL; DEBUG(D_acl) debug_printf( - " found %s MIME parameter in %s header, value '%s'\n", + "MIME: found %s parameter in %s header, value '%s'\n", mp->name, mh->name, *mp->value); break; /* done matching param names */ @@ -768,7 +774,7 @@ while(1) if (decoding_failed) mime_filename = mime_fname_rfc2231; DEBUG(D_acl) debug_printf( - " found %s MIME parameter in %s header, value is '%s'\n", + "MIME: found %s parameter in %s header, value is '%s'\n", "filename", mh->name, mime_filename); } } @@ -809,8 +815,9 @@ while(1) (nested_context.boundary != NULL) && (Ustrncmp(mime_content_type,"multipart",9) == 0) ) { - DEBUG(D_acl) debug_printf("Entering multipart recursion, boundary '%s'\n", - nested_context.boundary); + DEBUG(D_acl) + debug_printf("MIME: Entering multipart recursion, boundary '%s'\n", + nested_context.boundary); nested_context.context = context && context->context == MBC_ATTACHMENT diff --git a/test/log/4000 b/test/log/4000 index bb1a04fe9..c39fb583c 100644 --- a/test/log/4000 +++ b/test/log/4000 @@ -13,6 +13,9 @@ 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty4" 1999-03-02 09:44:33 10HmbB-0005vi-00 => userx R=r1 T=t1 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex T="Nasty5" 1999-03-02 09:44:33 10HmbC-0005vi-00 => userx R=r1 T=t1 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133502.GA3059@test.ex T="Nasty6" +1999-03-02 09:44:33 10HmbD-0005vi-00 => userx R=r1 T=t1 +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed diff --git a/test/mail/4000.userx b/test/mail/4000.userx index f59b904f3..486fb039d 100644 --- a/test/mail/4000.userx +++ b/test/mail/4000.userx @@ -303,6 +303,7 @@ Received: from CALLER (helo=test.ex) for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 Date: Tue, 2 Mar 1999 09:44:33 +0000 Message-ID: <20041217133501.GA3058@test.ex> +Subject: Nasty5 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR" From: CALLER_NAME @@ -360,3 +361,41 @@ Content-Disposition: attachment; filename*=ISO-8859-1''%74%65%73%74%20%E4%20%74% --T4sUOijqQbZv57TR-- +From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 +Received: from CALLER (helo=test.ex) + by myhost.test.ex with local-esmtp (Exim x.yz) + (envelope-from ) + id 10HmbD-0005vi-00 + for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +Date: Tue, 2 Mar 1999 09:44:33 +0000 +From: J Caesar +To: a-list00@exim.org +Message-ID: <20041217133502.GA3059@test.ex> +Mime-Version: 1.0 +Content-Type: application/pdf; + name*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF +Content-Disposition: attachment; + filename*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF +Subject: Nasty6 +Sender: CALLER_NAME +X-0-content-type: application/pdf +X-0-filename: 2015.11.13 - Präsentation GI - LK.PDF +X-0-charset: +X-0-boundary: +X-0-content-disposition: attachment +X-0-content-transfer-encoding: +X-0-content-id: +X-0-content-description: +X-0-is-multipart: 0 +X-0-is-coverletter: 1 +X-0-is-rfc822: 0 +X-0-decode-filename: TESTSUITE/spool/scan/10HmbD-0005vi-00/10HmbD-0005vi-00-00000 +X-0-content-size: 1 + +--T4sUOijqQbZv57TR +Content-Type: text/plain; + +foobar + +--T4sUOijqQbZv57TR-- + diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000 index eda235b10..b29aed1e0 100644 --- a/test/scripts/4000-scanning/4000 +++ b/test/scripts/4000-scanning/4000 @@ -194,6 +194,7 @@ rcpt to: data Date: Fri, 17 Dec 2004 14:35:01 +0100 Message-ID: <20041217133501.GA3058@test.ex> +Subject: Nasty5 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR" @@ -213,3 +214,32 @@ Content-Disposition: attachment; filename*=ISO-8859-1''%74%65%73%74%20%E4%20%74% . quit **** +# +# +# This one has a legit param; empty charset +# +exim -odi -bs +ehlo test.ex +mail from:<> +rcpt to: +data +Date: Fri, 17 Dec 2004 14:35:01 +0100 +From: J Caesar +To: a-list00@exim.org +Message-ID: <20041217133502.GA3059@test.ex> +Mime-Version: 1.0 +Content-Type: application/pdf; + name*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF +Content-Disposition: attachment; + filename*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF +Subject: Nasty6 + +--T4sUOijqQbZv57TR +Content-Type: text/plain; + +foobar + +--T4sUOijqQbZv57TR-- +. +quit +**** diff --git a/test/stdout/4000 b/test/stdout/4000 index 95511480e..c1e2b2450 100644 --- a/test/stdout/4000 +++ b/test/stdout/4000 @@ -64,3 +64,14 @@ 354 Enter message, ending with "." on a line by itself 250 OK id=10HmbC-0005vi-00 221 myhost.test.ex closing connection +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-myhost.test.ex Hello CALLER at test.ex +250-SIZE 52428800 +250-8BITMIME +250-PIPELINING +250 HELP +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmbD-0005vi-00 +221 myhost.test.ex closing connection -- 2.30.2