[interchange-cvs] interchange - jon modified code/UserTag/email.tag

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Mon Sep 26 15:36:59 EDT 2005 

User:      jon
Date:      2005-09-26 19:36:59 GMT
Modified:  code/UserTag email.tag
Log:
Prevent spammer abuse of [email] tag via header injection in inputs such
as To, From, Subject. Properly handle multiple-line "folded" headers as
per RFC, but reject any other newlines attempted injection abuses.

Properly tolerate missing MIME::Lite module, as appears to have been
originally intended.

Bring back cosmetic changes from version 1.6, which were nuked in 1.7.

Revision  Changes    Path
1.8       +23 -10    interchange/code/UserTag/email.tag


rev 1.8, prev_rev 1.7
Index: email.tag
===================================================================
RCS file: /var/cvs/interchange/code/UserTag/email.tag,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -u -r1.7 -r1.8
--- email.tag	28 Aug 2005 14:31:30 -0000	1.7
+++ email.tag	26 Sep 2005 19:36:59 -0000	1.8
@@ -1,6 +1,6 @@
 # Copyright 2002 Interchange Development Group (http://www.icdevgroup.org/)
 # Licensed under the GNU GPL v2. See file LICENSE for details.
-# $Id: email.tag,v 1.7 2005/08/28 14:31:30 mheins Exp $
+# $Id: email.tag,v 1.8 2005/09/26 19:36:59 jon Exp $
 
 UserTag email Order to subject reply from extra
 UserTag email hasEndTag
@@ -10,8 +10,10 @@
 
 my $Have_mime_lite;
 BEGIN {
-	require MIME::Lite;
-	$Have_mime_lite = 1;
+	eval {
+		require MIME::Lite;
+		$Have_mime_lite = 1;
+	};
 }
 
 sub {
@@ -29,9 +31,22 @@
 		$from = $Vend::Cfg->{MailOrderTo};
 		$from =~ s/,.*//;
 	}
-	$extra =~ s/\s*$/\n/ if $extra;
-        $extra .= "From: $from\n" if $from;
-	@extra = grep /\S/, split(/\n/, $extra);
+
+	# Prevent header injections from spammers' hostile content
+	for ($to, $subject, $reply, $from) {
+		# unfold valid RFC 2822 "2.2.3. Long Header Fields"
+		s/\r?\n([ \t]+)/$1/g;
+		# now remove any invalid extra lines left over
+		s/[\r\n](.*)//s
+			and ::logError("Header injection attempted in email tag: %s", $1);
+	}
+
+	for (grep /\S/, split /[\r\n]+/, $extra) {
+		# require header conformance with RFC 2822 section 2.2
+		push (@extra, $_), next if /^[\x21-\x39\x3b-\x7e]+:[\x00-\x09\x0b\x0c\x0e-\x7f]+$/;
+		::logError("Invalid header given to email tag: %s", $_);
+	}
+	unshift @extra, "From: $from" if $from;
 
 	ATTACH: {
 #::logDebug("Checking for attachment");
@@ -145,12 +160,10 @@
 		}
 	}
 
-    SEND: {
-            $ok = send_mail($to, $subject, $body, $reply, 0, @extra);
-    }
+	$ok = send_mail($to, $subject, $body, $reply, 0, @extra);
 
     if (!$ok) {
-        logError("Unable to send mail using $Vend::Cfg->{'SendMailProgram'}\n" .
+        logError("Unable to send mail using $Vend::Cfg->{SendMailProgram}\n" .
             "To '$to'\n" .
             "From '$from'\n" .
             "With extra headers '$extra'\n" .

More information about the interchange-cvs mailing list