[interchange-cvs] interchange - jon modified code/UserTag/email.tag
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Mon Sep 26 15:36:59 EDT 2005
User: jon
Date: 2005-09-26 19:36:59 GMT
Modified: code/UserTag email.tag
Log:
Prevent spammer abuse of [email] tag via header injection in inputs such
as To, From, Subject. Properly handle multiple-line "folded" headers as
per RFC, but reject any other newlines attempted injection abuses.
Properly tolerate missing MIME::Lite module, as appears to have been
originally intended.
Bring back cosmetic changes from version 1.6, which were nuked in 1.7.
Revision Changes Path
1.8 +23 -10 interchange/code/UserTag/email.tag
rev 1.8, prev_rev 1.7
Index: email.tag
===================================================================
RCS file: /var/cvs/interchange/code/UserTag/email.tag,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -u -r1.7 -r1.8
--- email.tag 28 Aug 2005 14:31:30 -0000 1.7
+++ email.tag 26 Sep 2005 19:36:59 -0000 1.8
@@ -1,6 +1,6 @@
# Copyright 2002 Interchange Development Group (http://www.icdevgroup.org/)
# Licensed under the GNU GPL v2. See file LICENSE for details.
-# $Id: email.tag,v 1.7 2005/08/28 14:31:30 mheins Exp $
+# $Id: email.tag,v 1.8 2005/09/26 19:36:59 jon Exp $
UserTag email Order to subject reply from extra
UserTag email hasEndTag
@@ -10,8 +10,10 @@
my $Have_mime_lite;
BEGIN {
- require MIME::Lite;
- $Have_mime_lite = 1;
+ eval {
+ require MIME::Lite;
+ $Have_mime_lite = 1;
+ };
}
sub {
@@ -29,9 +31,22 @@
$from = $Vend::Cfg->{MailOrderTo};
$from =~ s/,.*//;
}
- $extra =~ s/\s*$/\n/ if $extra;
- $extra .= "From: $from\n" if $from;
- @extra = grep /\S/, split(/\n/, $extra);
+
+ # Prevent header injections from spammers' hostile content
+ for ($to, $subject, $reply, $from) {
+ # unfold valid RFC 2822 "2.2.3. Long Header Fields"
+ s/\r?\n([ \t]+)/$1/g;
+ # now remove any invalid extra lines left over
+ s/[\r\n](.*)//s
+ and ::logError("Header injection attempted in email tag: %s", $1);
+ }
+
+ for (grep /\S/, split /[\r\n]+/, $extra) {
+ # require header conformance with RFC 2822 section 2.2
+ push (@extra, $_), next if /^[\x21-\x39\x3b-\x7e]+:[\x00-\x09\x0b\x0c\x0e-\x7f]+$/;
+ ::logError("Invalid header given to email tag: %s", $_);
+ }
+ unshift @extra, "From: $from" if $from;
ATTACH: {
#::logDebug("Checking for attachment");
@@ -145,12 +160,10 @@
}
}
- SEND: {
- $ok = send_mail($to, $subject, $body, $reply, 0, @extra);
- }
+ $ok = send_mail($to, $subject, $body, $reply, 0, @extra);
if (!$ok) {
- logError("Unable to send mail using $Vend::Cfg->{'SendMailProgram'}\n" .
+ logError("Unable to send mail using $Vend::Cfg->{SendMailProgram}\n" .
"To '$to'\n" .
"From '$from'\n" .
"With extra headers '$extra'\n" .
More information about the interchange-cvs
mailing list