httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxime Petazzoni <maxime.petazz...@bulix.org>
Subject Re: mod_mbox: incorrect parsing of MIME part-names
Date Fri, 02 Jun 2006 15:14:41 GMT
Hi,

* Gareth McCaughan <gmccaughan@synaptics-uk.com> [2006-06-02 15:02:04]:

> (I sent this to dev@ yesterday, but I wasn't subscribed then.
> Presumably the message just got dropped. It would have been
> nice to have a bounce message at least, but perhaps the levels
> of spam make even that impossible. Alas.)

Thanks a lot for re-posting, feedback like this is always welcome !

> The following patch kinda-sorta deals with this. Remaining
> deficiencies, definite and arguable:
> 
>   - Double-quote pairs other than at the start and end
>     of the value aren't stripped. In other words, the
>     above-mentioned robustness isn't used properly.
>     This is a deficiency.
> 
>   - Isolated double-quotes aren't escaped in any way.
>     There's no clearly-correct way to deal with them,
>     I think, but leaving them as they are means that
>     the problem that prompted me to write this has only
>     been lessened, not entirely fixed. This is a
>     deficiency. Fixing it would substantially complicate
>     the code. Kludging it, for instance by a second pass
>     that simply annihilates double-quotes, would be
>     pretty easy but arguably the Wrong Thing.

This would be pretty hard to parse properly anyway. Although it should
be the job of the MUA to escape those quotes and encapsulate the whole
filename in double-quotes, I've seen so many d***ss mailers while
working on the multipart decoding that we can't rely on them :)

>   - Escaped characters are left escaped. This is probably
>     a deficiency, but a minor one.

Aren't they supposed to remain escaped ? If they're unescaped, won't
they hurt the AJAX interface too ?

>   - I haven't looked to see whether there are other bits
>     of MIME handling that have the same problem.

I've also fixed a boundary research problem, and it should not suffer
from the same problem ... I hope.

> Applying this patch would certainly be an improvement,
> despite these deficiencies. It might be better to do
> something that goes further, but I shan't attempt to
> do so without some idea of what kind of going-further
> is thought appropriate by the mod_mbox maintainers.

That's a good patch, and working. Thanks for your work and for making
it neat.

Bests,
- Sam
-- 
Maxime Petazzoni (http://www.bulix.org)
 -- gone crazy, back soon. leave message.

Mime
View raw message