From 94c80042eae3383c812d9552089953f9846b1bb6 Mon Sep 17 00:00:00 2001 From: markus schnalke Date: Thu, 12 Apr 2012 15:18:12 +0200 Subject: [PATCH] Don't treat application/octet-stream with type=tar special. Don't auto-extract such parts with `mhstore -auto'. This makes -auto less a security problem. The auto-extract feature of mhshow that had been described in its man page seems to not exist, anyway. --- man/mhshow.man1 | 6 ----- man/mhstore.man1 | 48 ----------------------------------- uip/mhstore.c | 73 +----------------------------------------------------- 3 files changed, 1 insertion(+), 126 deletions(-) diff --git a/man/mhshow.man1 b/man/mhshow.man1 index e3fbdb7..8ebc7ba 100644 --- a/man/mhshow.man1 +++ b/man/mhshow.man1 @@ -257,12 +257,6 @@ multipart (without a profile entry), will be treated as multipart/mixed. .PP If none of these apply, then .B mhshow -will check to see if the message -has an application/octet-stream content with parameter \*(lqtype=tar\*(rq. -If so, -.B mhshow -will use an appropriate command. If not, -.B mhshow will complain. .PP Example entries might be: diff --git a/man/mhstore.man1 b/man/mhstore.man1 index fcd833d..61e2ab2 100644 --- a/man/mhstore.man1 +++ b/man/mhstore.man1 @@ -225,13 +225,6 @@ listed above) content, the p-escapes are ignored. .PP If no formatting string is found, .B mhstore -will check to see -if the content is application/octet-stream with parameter -\*(lqtype=tar\*(rq. If so, -.B mhstore -will choose an appropriate -filename. If the content is not application/octet-stream, then -.B mhstore will check to see if the content is a message. If so, .B mhstore @@ -297,48 +290,7 @@ are combined in the correct order. But if can not locate every partial necessary to reassemble the message, it will not store anything. -RE -.PP -By using the -.B \-auto -switch, -.B mhstore -will automatically do the extraction for you: -.PP -.RS 5 -.nf -% mhlist 5-8 - msg part type/subtype size description - 5 message/partial 47K part 1 of 4 - 6 message/partial 47K part 2 of 4 - 7 message/partial 47K part 3 of 4 - 8 message/partial 18K part 4 of 4 -% mhstore 5-8 -reassembling partials 5,6,7,8 to folder inbox as message 9 -% mhlist 9 - msg part type/subtype size description - 9 application/octet-stream 118K - (extract with uncompress | tar xvpf -) - type=tar - conversions=compress -% mhstore -auto 9 --- tar listing appears here as files are extracted -.fi .RE -.PP -As the second -.B tar -listing is generated, the files are extracted. -A prudent user will never put -.B \-auto -in the profile. -The correct procedure is to first use -.B mhlist -to find out what will be extracted. Then -.B mhstore -can be invoked with -.B \-auto -to perform the extraction. .SS "External Access" For contents of type message/external-body, \fImhstore\fR supports these access-types: diff --git a/uip/mhstore.c b/uip/mhstore.c index ed36c96..992d429 100644 --- a/uip/mhstore.c +++ b/uip/mhstore.c @@ -106,7 +106,6 @@ int show_content_aux(CT, int, char *, char *); static void store_single_message(CT); static int store_switch(CT); static int store_generic(CT); -static int store_application(CT); static int store_multi(CT); static int store_partial(CT); static int store_external(CT); @@ -450,9 +449,6 @@ store_switch(CT ct) break; case CT_APPLICATION: - return store_application(ct); - break; - case CT_TEXT: case CT_AUDIO: case CT_IMAGE: @@ -471,7 +467,7 @@ store_switch(CT ct) /* ** Generic routine to store a MIME content. -** (audio, video, image, text, message/rfc922) +** (application, audio, video, image, text, message/rfc922) */ static int @@ -490,73 +486,6 @@ store_generic(CT ct) /* -** Store content of type "application" -*/ - -static int -store_application(CT ct) -{ - char **ap, **ep; - CI ci = &ct->c_ctinfo; - - /* Check if the content specifies a filename */ - if (autosw) - get_storeproc(ct); - - /* - ** If storeproc is not defined, and the content is type - ** "application/octet-stream", we also check for various - ** attribute/value pairs which specify if this a tar file. - */ - if (!ct->c_storeproc && ct->c_subtype == APPLICATION_OCTETS) { - int tarP = 0, zP = 0, gzP = 0; - - for (ap = ci->ci_attrs, ep = ci->ci_values; *ap; ap++, ep++) { - /* check for "type=tar" attribute */ - if (!mh_strcasecmp(*ap, "type")) { - if (mh_strcasecmp(*ep, "tar")) - break; - - tarP = 1; - continue; - } - - /* check for "conversions=compress" attribute */ - if ((!mh_strcasecmp(*ap, "conversions") || - !mh_strcasecmp(*ap, "x-conversions")) - && (!mh_strcasecmp(*ep, "compress") || - !mh_strcasecmp(*ep, "x-compress"))) { - zP = 1; - continue; - } - /* check for "conversions=gzip" attribute */ - if ((!mh_strcasecmp(*ap, "conversions") || - !mh_strcasecmp(*ap, "x-conversions")) - && (!mh_strcasecmp(*ep, "gzip") || - !mh_strcasecmp(*ep, "x-gzip"))) { - gzP = 1; - continue; - } - } - - if (tarP) { - ct->c_showproc = getcpy(zP ? "%euncompress | tar tvf -" : (gzP ? "%egzip -dc | tar tvf -" : "%etar tvf -")); - if (!ct->c_storeproc) { - if (autosw) { - ct->c_storeproc = getcpy(zP ? "| uncompress | tar xvpf -" : (gzP ? "| gzip -dc | tar xvpf -" : "| tar xvpf -")); - ct->c_umask = 0022; - } else { - ct->c_storeproc= getcpy(zP ? "%m%P.tar.Z" : (gzP ? "%m%P.tar.gz" : "%m%P.tar")); - } - } - } - } - - return store_content(ct, NULL); -} - - -/* ** Store the content of a multipart message */ -- 1.7.10.4