Changeset 5154:3d1d7f6cf693
- Timestamp:
- 2007-04-02 15:20:58 (20 months ago)
- Author:
- Brendan Cully <brendan@…>
- Branch:
- mutt-1-4-stable
- Message:
-
Validate msgid in APOP authentication. Closes #2846
- Files:
-
Legend:
- Unmodified
- Added
- Removed
-
|
r2766
|
r5154
|
|
| 185 | 185 | return POP_A_UNAVAIL; |
| 186 | 186 | |
| | 187 | if (rfc822_valid_msgid (pop_data->timestamp) < 0) |
| | 188 | { |
| | 189 | mutt_error _("POP timestamp is invalid!"); |
| | 190 | mutt_sleep (2); |
| | 191 | return POP_A_UNAVAIL; |
| | 192 | } |
| | 193 | |
| 187 | 194 | mutt_message _("Authenticating (APOP)..."); |
| 188 | 195 | |
-
|
r2766
|
r5154
|
|
| 765 | 765 | } |
| 766 | 766 | |
| | 767 | /* incomplete. Only used to thwart the APOP MD5 attack (#2846). */ |
| | 768 | int rfc822_valid_msgid (const char *msgid) |
| | 769 | { |
| | 770 | /* msg-id = "<" addr-spec ">" |
| | 771 | * addr-spec = local-part "@" domain |
| | 772 | * local-part = word *("." word) |
| | 773 | * word = atom / quoted-string |
| | 774 | * atom = 1*<any CHAR except specials, SPACE and CTLs> |
| | 775 | * CHAR = ( 0.-127. ) |
| | 776 | * specials = "(" / ")" / "<" / ">" / "@" |
| | 777 | / "," / ";" / ":" / "\" / <"> |
| | 778 | / "." / "[" / "]" |
| | 779 | * SPACE = ( 32. ) |
| | 780 | * CTLS = ( 0.-31., 127.) |
| | 781 | * quoted-string = <"> *(qtext/quoted-pair) <"> |
| | 782 | * qtext = <any CHAR except <">, "\" and CR> |
| | 783 | * CR = ( 13. ) |
| | 784 | * quoted-pair = "\" CHAR |
| | 785 | * domain = sub-domain *("." sub-domain) |
| | 786 | * sub-domain = domain-ref / domain-literal |
| | 787 | * domain-ref = atom |
| | 788 | * domain-literal = "[" *(dtext / quoted-pair) "]" |
| | 789 | */ |
| | 790 | |
| | 791 | char* dom; |
| | 792 | unsigned int l, i; |
| | 793 | |
| | 794 | if (!msgid || !*msgid) |
| | 795 | return -1; |
| | 796 | |
| | 797 | l = mutt_strlen (msgid); |
| | 798 | if (l < 5) /* <atom@atom> */ |
| | 799 | return -1; |
| | 800 | if (msgid[0] != '<' || msgid[l-1] != '>') |
| | 801 | return -1; |
| | 802 | if (!(dom = strrchr (msgid, '@'))) |
| | 803 | return -1; |
| | 804 | |
| | 805 | /* TODO: complete parser */ |
| | 806 | for (i = 0; i < l; i++) |
| | 807 | if (msgid[i] > 127) |
| | 808 | return -1; |
| | 809 | |
| | 810 | return 0; |
| | 811 | } |
| | 812 | |
| 767 | 813 | #ifdef TESTING |
| 768 | 814 | int safe_free (void **p) |
-
|
r2766
|
r5154
|
|
| 56 | 56 | void rfc822_free_address (ADDRESS **addr); |
| 57 | 57 | void rfc822_cat (char *, size_t, const char *, const char *); |
| | 58 | int rfc822_valid_msgid (const char *msgid); |
| 58 | 59 | |
| 59 | 60 | extern int RFC822Error; |
