From ba4a0cf589d4465d5217cc24b4d3dd0857f6cb0e Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Tue, 5 Dec 2017 16:59:31 +0100 Subject: rfc2047: blaze822_decode_rfc2047: don't decode encoded-words that contain NUL bytes This is a lax interpretation of RFC 2047, 4.5: > Only printable and white space character data should be encoded using > this scheme. However, since these encoding schemes allow the > encoding of arbitrary octet values, mail readers that implement this > decoding should also ensure that display of the decoded data on the > recipient's terminal will not cause unwanted side-effects. Since many of the code that deals with header values does not support inline NUL bytes, it's best to not decode them here. We check for this after iconv, so quoted-printable UTF-32 e.g. should be safe. Also see https://www.mailsploit.com/ --- rfc2047.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'rfc2047.c') diff --git a/rfc2047.c b/rfc2047.c index c152922..ab65772 100644 --- a/rfc2047.c +++ b/rfc2047.c @@ -132,7 +132,7 @@ blaze822_decode_rfc2047(char *dst, char *src, size_t dlen, char *tgtenc) char *b = src; - // use memmem + // XXX use memmem char *s = strstr(src, "=?"); if (!s) goto nocodeok; @@ -233,6 +233,9 @@ blaze822_decode_rfc2047(char *dst, char *src, size_t dlen, char *tgtenc) } } + if (memchr(dst, 0, dlen)) + goto nocode; + while (!partial && declen && dlen) { *dst++ = *dec++; declen--; -- cgit 1.4.1