<<< Date Index >>>     <<< Thread Index >>>

Re: RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)



* Wed Jul 12 2006 Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> > IIRC, Thomas prefers rfc2368sec.4:
> > http://www.momonga-linux.org/~tamo/patch-1.5.9.tamo.rfc2368sec.4
> > http://thread.gmane.org/gmane.mail.mutt.devel/7507/focus=7522
> 
> Looking at this, I guess I'd like to throw out the
> OPTCONFIRMHEADERS part of it, and just stick to (a) prepending
> the X-Mailto-URL-... (or maybe just X-Mailto) prefix, and (b)
> overriding ask-cc and ask-bcc as the patch does.
> 
> Mind preparing a version that does this?

Well, quick diff is here. Not tested yet.

-- 
tamo
? scr.txt
? utf8.txt
Index: send.c
===================================================================
RCS file: /home/roessler/cvs/mutt/send.c,v
retrieving revision 3.45
diff -p -u -r3.45 send.c
--- send.c      9 Jan 2006 19:43:59 -0000       3.45
+++ send.c      13 Jul 2006 09:24:51 -0000
@@ -220,9 +220,9 @@ static int edit_envelope (ENVELOPE *en)
 
   if (edit_address (&en->to, "To: ") == -1 || en->to == NULL)
     return (-1);
-  if (option (OPTASKCC) && edit_address (&en->cc, "Cc: ") == -1)
+  if ((en->cc || option (OPTASKCC)) && edit_address (&en->cc, "Cc: ") == -1)
     return (-1);
-  if (option (OPTASKBCC) && edit_address (&en->bcc, "Bcc: ") == -1)
+  if ((en->bcc || option (OPTASKBCC)) && edit_address (&en->bcc, "Bcc: ") == 
-1)
     return (-1);
 
   if (en->subject)
Index: url.c
===================================================================
RCS file: /home/roessler/cvs/mutt/url.c,v
retrieving revision 3.9
diff -p -u -r3.9 url.c
--- url.c       17 Sep 2005 20:46:11 -0000      3.9
+++ url.c       13 Jul 2006 09:24:51 -0000
@@ -249,9 +249,16 @@ int url_parse_mailto (ENVELOPE *e, char 
     }
     else 
     {
-      taglen = strlen (tag);
+      const char *x_mailto="";
+
+      /* see RFC2368 security considerations */
+      if (ascii_strcasecmp (tag, "subject") &&
+         ascii_strcasecmp (tag, "cc") &&
+         ascii_strcasecmp (tag, "bcc"))
+       x_mailto="X-Mailto-";
+      taglen = strlen (tag) + strlen (x_mailto);
       /* mutt_parse_rfc822_line makes some assumptions */
-      snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);
+      snprintf (scratch, sizeof (scratch), "%s%s: %s", x_mailto, tag, value);
       scratch[taglen] = '\0';
       value = &scratch[taglen+1];
       SKIPWS (value);