From dfacc915824a819be2e33cdb2a34d1d1de27fc34 Mon Sep 17 00:00:00 2001 From: Dan Harkless Date: Thu, 6 Apr 2000 00:11:50 +0000 Subject: [PATCH] Applied Eric Schnoebelen 's mhshowsbr.c patch fixing apparent bugs in Dan Winship's new security quoting code: Since upgrading, I've been getting the following errors while attempting to process some MIME messages: (1) Syntax error: Unterminated quoted string exit 2 and: (2) line 1/10 (END)Segmentation fault (core dumped) (2) appears to be due to the testing of an unset pointer in mhshowsbr.c:show_multi_aux(). (1) appears to be caused by mis-quoting a filename being handed to the shell in mhshowsbr.c:show_content_aux(). Resolving the pointer reference issue in mhshowsbr.c:show_multi_aux() turned up a similar mis-quoting problem in the routine. --- ChangeLog | 29 ++++++++++++++++++++++++++--- uip/mhshowsbr.c | 18 ++++++++++++++++-- 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 304ae74..c15f910 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,31 @@ +Wed Apr 05 21:09:28 2000 Dan Harkless + + * Applied Eric Schnoebelen 's mhshowsbr.c patch + fixing apparent bugs in Dan Winship's new security quoting code: + + Since upgrading, I've been getting the following errors + while attempting to process some MIME messages: + + (1) Syntax error: Unterminated quoted string + exit 2 + + and: + + (2) line 1/10 (END)Segmentation fault (core dumped) + + (2) appears to be due to the testing of an unset pointer in + mhshowsbr.c:show_multi_aux(). (1) appears to be caused by + mis-quoting a filename being handed to the shell in + mhshowsbr.c:show_content_aux(). + + Resolving the pointer reference issue in + mhshowsbr.c:show_multi_aux() turned up a similar mis-quoting + problem in the routine. + Tue Mar 28 16:17:39 2000 Doug Morris - * Applied Todd Miller 's patch to - dropsbr.c to prevent core dumping on packf. Here's the note - from his message: + * Applied Todd.Miller@courtesan.com's patch to dropsbr.c to + prevent core dumping on packf. Here's the note from his message: Since sizeof(buffer) == sizeof(tmpbuffer) packf will dump core on a file w/o a From line with a line >= BUFSIZ. diff --git a/uip/mhshowsbr.c b/uip/mhshowsbr.c index 9745504..71f55a4 100644 --- a/uip/mhshowsbr.c +++ b/uip/mhshowsbr.c @@ -405,7 +405,16 @@ show_content_aux (CT ct, int serial, int alternate, char *cp, char *cracked) case 'f': /* insert filename containing content */ - snprintf (bp, buflen, "%s", file); + snprintf (bp, buflen, "'%s'", file); + /* since we've quoted the file argument, set things up + * to look past it, to avoid problems with the quoting + * logic below. (I know, I should figure out what's + * broken with the quoting logic, but..) + */ + len = strlen(bp); + buflen -= len; + bp += len; + pp = bp; break; case 'p': @@ -869,8 +878,9 @@ show_multi_aux (CT ct, int serial, int alternate, char *cp) quoted = 0; /* Now parse display string */ - for ( ; *cp; cp++) { + for ( ; *cp && buflen > 0; cp++) { if (*cp == '%') { + pp = bp; switch (*++cp) { case 'a': /* insert parameters from Content-Type field */ @@ -923,6 +933,10 @@ show_multi_aux (CT ct, int serial, int alternate, char *cp) buflen -= len; s = " "; } + /* set our starting pointer back to bp, to avoid + * requoting the filenames we just added + */ + pp = bp; } break; -- 1.7.10.4