Skip to content
Snippets Groups Projects
Commit 1cbc2470 authored by Stephan Bosch's avatar Stephan Bosch
Browse files

Fixed Sieve script name checking to properly handle length issues and added... 

Fixed Sieve script name checking to properly handle length issues and added 0x00ff as invalid character.
parent 97d88d9c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/lib-sieve/sieve-script.c
+ 24
8
View file @ 1cbc2470
......@@ -36,8 +36,12 @@ bool sieve_script_name_is_valid(const char *scriptname)
const unichar_t *name_chars;
size_t namelen = strlen(scriptname);
/* Check maximum length */
if ( namelen > SIEVE_MAX_SCRIPT_NAME_LEN )
/* Check minimum length */
if ( namelen == 0 )
return FALSE;
/* Check worst-case maximum length */
if ( namelen > SIEVE_MAX_SCRIPT_NAME_LEN * 4 )
return FALSE;
/* Intialize array for unicode characters */
......@@ -46,16 +50,24 @@ bool sieve_script_name_is_valid(const char *scriptname)
/* Convert UTF-8 to UCS4/UTF-32 */
if ( uni_utf8_to_ucs4(scriptname, &uni_name) < 0 )
return FALSE;
/* Scan name for invalid characters */
name_chars = array_get(&uni_name, &count);
/* Check true maximum length */
if ( count > SIEVE_MAX_SCRIPT_NAME_LEN )
return FALSE;
/* Scan name for invalid characters
* FIXME: compliance with Net-Unicode Definition (Section 2 of
* RFC 5198) is not checked fully and no normalization
* is performed.
*/
for ( i = 0; i < count; i++ ) {
/* 0000-001F; [CONTROL CHARACTERS] */
if ( name_chars[i] <= 0x001f )
return FALSE;
/* 002F; SLASH */
/* 002F; SLASH (not RFC-prohibited, but '/' is dangerous) */
if ( name_chars[i] == 0x002f )
return FALSE;
......@@ -67,6 +79,10 @@ bool sieve_script_name_is_valid(const char *scriptname)
if ( name_chars[i] >= 0x0080 && name_chars[i] <= 0x009f )
return FALSE;
/* 00FF */
if ( name_chars[i] == 0x00ff )
return FALSE;
/* 2028; LINE SEPARATOR */
/* 2029; PARAGRAPH SEPARATOR */
if ( name_chars[i] == 0x2028 || name_chars[i] == 0x2029 )
......@@ -88,8 +104,8 @@ static inline const char *_sieve_scriptfile_get_basename(const char *filename)
ext = strrchr(filename, '.');
if ( ext == NULL || ext == filename || strncmp(ext,".sieve",6) != 0 )
return filename;
return t_strdup_until(filename, ext);
return t_strdup_until(filename, ext);
}
bool sieve_script_file_has_extension(const char *filename)
......
src/managesieve/cmd-putscript.c
+ 1
1
View file @ 1cbc2470
......@@ -431,7 +431,7 @@ bool cmd_putscript(struct client_command_context *cmd)
const char *scriptname;
/* <scriptname> */
if ( !client_read_string_args(cmd, 1, FALSE, &scriptname) || *scriptname == '\0' )
if ( !client_read_string_args(cmd, 1, FALSE, &scriptname) )
return FALSE;
return cmd_putscript_start(cmd, scriptname);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Consent

On this website, we use the web analytics service Matomo to analyze and review the use of our website. Through the collected statistics, we can improve our offerings and make them more appealing for you. Here, you can decide whether to allow us to process your data and set corresponding cookies for these purposes, in addition to technically necessary cookies. Further information on data protection—especially regarding "cookies" and "Matomo"—can be found in our privacy policy. You can withdraw your consent at any time.