Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)

To: mutt-dev@xxxxxxxx
Subject: Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
From: TAKAHASHI Tamotsu <ttakah@xxxxxxxxxxxxxxxxx>
Date: Thu, 13 Jul 2006 18:29:14 +0900
In-reply-to: <20060712181501.GD14959@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
Mail-followup-to: mutt-dev@xxxxxxxx
References: <44B29EC2.4010805@xxxxxxxxx> <20060711232756.GQ9875@xxxxxxxxxxxxxxxxxxx> <20060711233531.GI11269@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20060712000829.GU9875@xxxxxxxxxxxxxxxxxxx> <20060712141345.GB6596@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20060712181501.GD14959@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.11-2006-07-05

* Wed Jul 12 2006 Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> > IIRC, Thomas prefers rfc2368sec.4:
> > http://www.momonga-linux.org/~tamo/patch-1.5.9.tamo.rfc2368sec.4
> > http://thread.gmane.org/gmane.mail.mutt.devel/7507/focus=7522
> 
> Looking at this, I guess I'd like to throw out the
> OPTCONFIRMHEADERS part of it, and just stick to (a) prepending
> the X-Mailto-URL-... (or maybe just X-Mailto) prefix, and (b)
> overriding ask-cc and ask-bcc as the patch does.
> 
> Mind preparing a version that does this?

Well, quick diff is here. Not tested yet.

-- 
tamo

? scr.txt
? utf8.txt
Index: send.c
===================================================================
RCS file: /home/roessler/cvs/mutt/send.c,v
retrieving revision 3.45
diff -p -u -r3.45 send.c
--- send.c      9 Jan 2006 19:43:59 -0000       3.45
+++ send.c      13 Jul 2006 09:24:51 -0000
@@ -220,9 +220,9 @@ static int edit_envelope (ENVELOPE *en)
 
   if (edit_address (&en->to, "To: ") == -1 || en->to == NULL)
     return (-1);
-  if (option (OPTASKCC) && edit_address (&en->cc, "Cc: ") == -1)
+  if ((en->cc || option (OPTASKCC)) && edit_address (&en->cc, "Cc: ") == -1)
     return (-1);
-  if (option (OPTASKBCC) && edit_address (&en->bcc, "Bcc: ") == -1)
+  if ((en->bcc || option (OPTASKBCC)) && edit_address (&en->bcc, "Bcc: ") == 
-1)
     return (-1);
 
   if (en->subject)
Index: url.c
===================================================================
RCS file: /home/roessler/cvs/mutt/url.c,v
retrieving revision 3.9
diff -p -u -r3.9 url.c
--- url.c       17 Sep 2005 20:46:11 -0000      3.9
+++ url.c       13 Jul 2006 09:24:51 -0000
@@ -249,9 +249,16 @@ int url_parse_mailto (ENVELOPE *e, char 
     }
     else 
     {
-      taglen = strlen (tag);
+      const char *x_mailto="";
+
+      /* see RFC2368 security considerations */
+      if (ascii_strcasecmp (tag, "subject") &&
+         ascii_strcasecmp (tag, "cc") &&
+         ascii_strcasecmp (tag, "bcc"))
+       x_mailto="X-Mailto-";
+      taglen = strlen (tag) + strlen (x_mailto);
       /* mutt_parse_rfc822_line makes some assumptions */
-      snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);
+      snprintf (scratch, sizeof (scratch), "%s%s: %s", x_mailto, tag, value);
       scratch[taglen] = '\0';
       value = &scratch[taglen+1];
       SKIPWS (value);

Follow-Ups:
- Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
  - From: TAKAHASHI Tamotsu

References:
- CVE-2006-3242 and a new mutt release
  - From: Jonathan Smith
- Re: CVE-2006-3242 and a new mutt release
  - From: Vincent Lefevre
- Re: CVE-2006-3242 and a new mutt release
  - From: Thomas Roessler
- Re: CVE-2006-3242 and a new mutt release
  - From: Vincent Lefevre
- RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
  - From: TAKAHASHI Tamotsu
- Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
  - From: Thomas Roessler

Prev by Date: [2006-07-13] CVS repository changes
Next by Date: Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
Previous by thread: Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
Next by thread: Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)
Index(es):
- Date
- Thread