[pkg-horde] [SCM] Debian Horde Packages repository: horde3 package branch, debian-lenny, updated. 244771356d5ee1a12d926ce1791a7ab4a870ca3b
Gregory Colpart
reg at debian.org
Wed Nov 3 22:53:16 UTC 2010
The following commit has been merged in the debian-lenny branch:
commit abc715181078c1dbeb73384ed5dfd3a8d6d4131c
Author: Gregory Colpart <reg at debian.org>
Date: Sun Oct 31 19:17:36 2010 +0100
Fix annoying bug in address validation (Closes: #562965)
diff --git a/debian/changelog b/debian/changelog
index 38017ef..6c58d63 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,8 +3,9 @@ horde3 (3.2.2+debian0-2+lenny3) stable-security; urgency=high
* Fix typo in patch for CVE-2009-3236.
* Fix CVE-2010-3077 and CVE-2010-3694 (Closes: #598582)
* Fix annoying bug in cache sql driver (Closes: #566610)
+ * Fix annoying bug in address validation (Closes: #562965)
- -- Gregory Colpart <reg at debian.org> Sun, 31 Oct 2010 18:58:03 +0100
+ -- Gregory Colpart <reg at debian.org> Sun, 31 Oct 2010 19:16:38 +0100
horde3 (3.2.2+debian0-2+lenny2) stable-security; urgency=high
diff --git a/lib/Horde/MIME.php b/lib/Horde/MIME.php
index 0067ca3..b5afb93 100644
--- a/lib/Horde/MIME.php
+++ b/lib/Horde/MIME.php
@@ -92,13 +92,6 @@ class MIME {
);
/**
- * Filter for RFC822.
- *
- * @var string
- */
- var $rfc822_filter = "()<>@,;:\\\"[]\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\20\21\22\23\24\25\26\27\30\31\32\33\34\35\36\37\177";
-
- /**
* Determines if a string contains 8-bit characters.
*
* @param string $string The string to check.
@@ -540,12 +533,12 @@ class MIME {
$address = '';
if (!empty($personal)) {
- $address .= MIME::_rfc822Encode($personal);
+ $address .= MIME::_rfc2822Encode($personal, 'personal');
$address .= ' <';
}
if (!is_null($host)) {
- $address .= MIME::_rfc822Encode($mailbox);
+ $address .= MIME::_rfc2822Encode($mailbox, 'address');
if (substr($host, 0, 1) != '@') {
$address .= '@' . $host;
}
@@ -803,21 +796,32 @@ class MIME {
}
/**
- * Quotes and escapes the given string if necessary.
+ * Quotes and escapes the given string if necessary using rules contained
+ * in RFC 2822 [3.2.5].
*
* @access private
*
- * @param string $str The string to be quoted and escaped.
- * @param string $filter A list of characters that make it necessary to
- * quote the string if they occur.
+ * @param string $str The string to be quoted and escaped.
+ * @param string $type Either 'address' or 'personal'.
*
* @return string The correctly quoted and escaped string.
*/
- function _rfc822Encode($str, $filter = '')
+ function _rfc2822Encode($str, $type = 'address')
{
- if (empty($filter)) {
- $vars = get_class_vars('MIME');
- $filter = $vars['rfc822_filter'] . ' ';
+ // Excluded (in ASCII): 0-8, 10-31, 34, 40-41, 44, 58-60, 62, 64,
+ // 91-93, 127
+ $filter = "\0\1\2\3\4\5\6\7\10\12\13\14\15\16\17\20\21\22\23\24\25\26\27\30\31\32\33\34\35\36\37\"(),:;<>@[\\]\177";
+
+ switch ($type) {
+ case 'address':
+ // RFC 2822 [3.4.1]: (HTAB, SPACE) not allowed in address
+ $filter .= "\11\40";
+ break;
+
+ case 'personal':
+ // RFC 2822 [3.4]: Period not allowed in display name
+ $filter .= '.';
+ break;
}
// Strip double quotes if they are around the string already.
--
Debian Horde Packages repository: horde3 package
More information about the pkg-horde-hackers
mailing list