| Age | Commit message (Collapse) | Author |
|---|
|
buf is size STRING while the environment variable is copied into a
LONG_STRING, so lng can be past the end of buf. Swap the comparison
order to make sure they match (and thus ensuring buf[lng] isn't
outside the buffer).
|
|
Ticket 405 had an almost-exploit enabled by sloppy assignment of
strlen(). There were more details involved, of course, but this
served as encouragement to clean up obvious "strlen assignment to int"
in the rest of the code.
Note this is not *all* cases, only those that were simple and obvious.
In some cases, the code assigns strlen() to an int but also uses that
variable to hold negative values for another reason. In other cases,
an API is involved (e.g. SASL) that make changing potentially
dangerous. And lastly, some functions were just a bit too complicated
to risk introducing a bug.
|
|
Clean up iconv state and state->prefix handling instead of just
returning. This is done for the other encoding handlers.
|
|
mutt_decode_uuencoded() used each line's initial "length character"
without any validation. It would happily read past the end of the
input line, and with a suitable value even past the length of the
input buffer.
As I noted in ticket 404, there are several other changes that could
be added to make the parser more robust. However, to avoid
accidentally introducing another bug or regression, I'm restricting
this patch to simply addressing the overflow.
Thanks to Tavis Ormandy for reporting the issue, along with a sample
message demonstrating the problem.
|
|
Some old smime (and other parts of the code) have out of date comments
asserting mutt_decode_attachment() modifies the body length, offset,
and type fields.
Add a const modifier to the parameter and called functions to assert
this is not the case.
|
|
Thanks to Vincent Lefèvre for pointing out the incorrect usage. POSIX
does not specify the actual values (although they are evidently
commonly in use).
|
|
This will allow "view" mailcap invocations and autoview invocations to
display something reasonable for international file names. Also add
the flag to mutt_adv_mktemp(), which the mailcap viewer calls.
Convert the 'slash parameter' to an ALLOW_SLASH flag. This makes the
flags consistent (both "allow" something not permitted by default),
and invocations more readable.
|
|
Add a MUTT_CM_FORWARDING flag to correspond with the MUTT_CM_REPLYING
flag. Check those to turn on ANSI filtering.
In order to guard against other accidental prefix setting without one
of those flags, also check s->prefix to enable ANSI filtering (and
prefix printing) too.
Add missing MUTT_CM_REPLYING flags to the recvcmd.c reply functions.
While updating the recvcmd.c reply code, I noticed CH_REORDER wasn't
enabled with OPTWEED, like in the send.c code (and everywhere else),
so add the missing flag.
|
|
This is a part two, made in master, to the stable branch commit
11b18027. These are mostly length adjustments to use LOFF_T, matching the
BODY->length type.
An argument could be made for size_t instead, and a few places in Mutt
do assign between those types. I've used LOFF_T because off_t is a
signed integer. Some changes in this commit affect loops that
decrement a length pointer while > 0. Switching to a size_t could
create a wraparound infinite loop bug.
This also changes the Content-Length header parser to use atoll()
intead of atol(). I noticed from the man page that atol() doesn't
seem to return -1 on error. But I've kept the check anyway.
|
|
Rather than duplicate the logic, move the function back inside
pager.c. Add a parameter to optionally remove attachment markers.
Inside fill_buffer(), use a stack-based buffer and directly assign the
buffer.data back to fmt, to keep it as fast as before.
|
|
A demonstration attack using a million tiny parts will freeze Mutt for
several minutes. This is actually better than some other mail
software, but can still be a problem at large levels.
For now, set it to a very conservative 5000, but this can be adjusted
up (or down) if necessary.
Declare the previous stack-limit max depth as a constant too, and
decrease it down to 50. Change the handler to return non-fatal "1" on
reaching the limit.
|
|
If $allow_ansi is set, and the user has an autoview generating ansi
output, it is helpful to strip out those sequences.
This is based on Fabian's patch for ticket #218. My version results
in partially duplicated logic, but avoids tangling the handler with
pager's internal fill_buffer() logic.
|
|
When displaying a message, display a mutt_error() to warn of
incomplete rendering.
Fix mutt_copy_message() to check for ferror and feof errors on partial
decode too.
Clean up _mutt_append_message() to not pass a partial-decode along as
a success.
Modify the crypt handlers to return 1 if any kind of state message is
displayed. There is some fuzzyness about what a "fatal" error is, but
for now just consider a handler error that notifies by
state_attach_puts() as "non-fatal".
|
|
Limit to 100 depth to prevent a crash due to stack overflow. If this
turns out to be too large (or small), I'll adjust it.
|
|
Most of these were already commented. Change a few of them to
a format gcc will recognize. In the future, we'll want to change to
whatever is standardized.
|
|
Because of mime_lookup commands, the call to mutt_check_lookup_list()
inside the function can modify the passed in type. Add an explicit
length parameter to the function, rather than assume the parameter
size. This also makes it more evident the type parameter can be
modified to callers.
Change the len parameter to mutt_check_lookup_list() to type size_t,
just to be correct about it.
|
|
|
|
Try autocrypt first for crypt_pgp_decrypt_mime() and
pgp_gpgme_encrypted_handler().
Propagate the autocrypt bit if successful. This is used when replying
to an autocrypt message, to force a reply using autocrypt.
|
|
MuttVars of those types are set via safe_strdup(), which returns NULL
if the original is "". Thus Var implies *Var.
A good portion of the code relies on that axiom, but over the years
some (Var && *Var) checks have crept in, including from me.
This was partially because of the INITVAL("") that were in the code,
which implied (incorrectly) the initial value could be "". Commit
2f91d43e removed those to make it more clear.
This commit removes the *Var checks to make it even clearer, and help
avoid them creeping back in again.
|
|
First, option(OPTVIEWATTACH) is only set for (s->flags & DISPLAY), so that
check can be ignored.
With that removed, all this is doing is printing
[-- This is an attachment ...]
with no context in the middle of non-display rendering for the case
$honor_disposition is set with a handler.
This makes no sense and I believe is a logic error. Perhaps this
never took effect, but with $forward_attachments it now affects
forwarding in that case.
|
|
Remove buffer prefix now that all callers are converted.
|
|
Now that all callers pass a BUFFER, the buffer prefix is not needed to
distinguish the parameter.
|
|
This will allow the full conversion of rfc1524_expand_filename(), and
thereafter mutt_adv_mktemp() too.
|
|
@jensvoid, in cooperation with Ruhr-Uni Bochum and FH Münster,
Germany, reported a possible "Oracle decryption" attack on various
mail clients. An attacker could include previously encrypted contents
they obtained access to, and include it in a message. Replying
without trimming would include the decrypted contents.
This attack relies on several "ifs", and is more dangerous for clients
that compose HTML mail. However, it is still an issue that an
unwary/busy Mutt user could fall for.
Add a new config $include_encrytped, defaulting off, to reduce the
possibility of the user being unaware of previously encrypted parts in
the reply. Only the main initial encrypted part will be included in
the reply.
|
|
Add spaces after if, else, while, for, switch.
Unify the brace placement style. The vast majority of the code uses
Allman style so convert the relatively few K&R braces over.
|
|
These are mostly automated changes corresponding to the emacs
settings:
(c-set-style "linux")
(setq c-basic-offset 2)
(c-set-offset 'case-label '+)
Most of the code follows the convention:
(add-to-list 'c-cleanup-list 'space-before-funcall)
but this is not enforced by this indentation cleanup.
Also, I personally dislike tabs, so I have:
(setq-default indent-tabs-mode nil)
in my own configuration. However I have no desire to change every line
just for that effect. So this cleanup does nothing about the mix issue.
Some of the secondary files (e.g. regex.c) have been skipped.
I've also skipped crypt-gpgme.c, because I need to think about that
file. Werner Koch and the GnuPG team contributed most it, and it
follows the Gnu indentation settings. It should probably be made
uniform with Mutt, but I don't want to discourage future GnuPG
contribution to the file.
I manually reverted a few unsightly cleanups, and added a few tweeks
when I saw things that could be improved.
|
|
The result of
find . -name "*.[ch]" -exec emacs -batch {} \
--eval="(progn (delete-trailing-whitespace) (and (buffer-modified-p) (save-buffer)))" \;
|
|
Some clients (or even mail servers) improperly encode the octetstream
part.
Thanks to Riccardo Schirone for the original merge request patch.
This commit also handles the attachment menu, and makes the decoding
conditional so it's not done if it isn't necessary.
|
|
Add $crypt_protected_headers_read config variable to enable reading
and updating the index/header cache.
Print protected Subject header in the pager as parts are rendered.
Once opened, update the index, subject hash, and header cache.
|
|
Changeset 23334e967dd7 created a workaround for a namespace conflict
with Solaris and derivatives. After some discussion, the team decided
it would be best to move away from using the "M_" prefix for macros.
This patch was automatically generated by running:
perl -wpi -e 's/\bM_(\w+)\b/MUTT_$1/g' `find . -name '*.[ch]' -print`
with the exception that sys_socket.h was exempted. (That file will
be backed out subsequent to this commit.)
Thanks to Andras Salamon for supplying the perl script used to make
this change.
|
|
Most of these were just message update/clearing.
|
|
This patch only updates existing copyright notices in the source
files, using commit dates since the last copyright update in commits
e3af935cdb1a and f8fd60d8d3f2.
Add a notice to the COPYRIGHT file to refer to our mercurial
repository for the full commit history.
Add myself to the COPYRIGHT file and smime_keys.pl file.
|
|
In certain circumstances, Exchange corrupts a multipart/encrypted block
into:
<multipart/mixed>
<text/plain>
<application/pgp-encrypted> [BASE64-encoded]
<application/octet-stream> [BASE64-encoded]
This patch pulls the full detection of valid/invalid multiparts
into mutt_body_handler(). It extracts a run_decode_and_handler()
function, which is reused by new intermediate handlers to decode
the application/octet-stream part before passing it directly to
crypt_pgp_encrypted_handler. These intermediate handlers then check
and set any GOODSIG flags back into the parent part.
This change may result in less error messages for invalid
multipart/encrypted parts. Instead, mutt will default to the
multipart_handler if it isn't fully "correct".
Viewing attachments uses crypt_pgp_decrypt_mime() which bypasses the
handler mechanism. Add decoding to the decrypt_mime() functions for pgp
and gpgme.
Thanks to Vincent Brillault for his analysis and initial patch.
|
|
In mutt_is_autoview(), changeset b58cdfacfb89 introduced a call to
rfc1524_mailcap_lookup() before checking if the MIME type should
be autoviewed based on the user's preferences. This caused a major
performance regression for ~b/~B searching.
Rearrange mutt_is_autoview() to check the user preferences first, then
search for a mailcap entry only if the MIME type should be autoviewed.
In order to preserve correct mime_lookup behavior, re-add a call to
mutt_check_lookup_list() before scanning the AutoViewList.
|
|
closes #3487
|
|
|
|
|
|
mailcap entry and either $implicit_autoview is set or the MIME type matches the user's auto_view list.
closes #3496
closes #3426
|
|
closes #3558
|
|
Many structs used in mutt are actually constant but are defined
without the 'const' keyword. This can slow initialization (slightly)
in some environments due to extra copying and increases the amount of
writable RAM required at run-time, which can be significant on non-MMU
systems. Using const can also increase the opportunities for compiler
optimization.
The attached patch marks many such structures as const. On my test x86
build, this reduces the size of .data by over 50%.
|
|
format=flowed text parts.
|
|
This is needed to unbreak text/enriched rendering on Linux.
|
|
|
|
|
|
#3275.
|
|
|
|
We now distinct between sending and display case. For display,
we always use tabs for folding for readability; for sending we
now correctly fold using whitespace found in the header.
Closes #2995. Closes #3080.
|
|
|
|
RFC2045 (sect. 6.7, (1) general 8bit representation)
states that neither CR nor LF of the trailing CRLF may
be qp-encoded. So we ignore trailing qp-encoded CRs.
See #2898 though this is a partial fix only.
|
|
If we make a fixed reply to a flowed message we remove trailing
spaces and can now safely allow $indent_string to be used which
is what users expect.
Second, if we make a flowed reply to a fixed message we also
strip trailing spaces since from format=fixed we assume all
lines are fixed (i.e. we don't want to errorneously make fixed
lines flowed).
|
