[Pkg-wmaker-commits] [wmbiff] 02/15: hostname paranoia patch -- use -relax to skip hostname validation check, parse ambiguous config lines
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:03:19 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to tag wmbiff_0_4_15
in repository wmbiff.
commit 60de1ed7635b4de81d0eef70d7dd506c7255d6aa
Author: bluehal <bluehal>
Date: Sun Mar 2 02:17:14 2003 +0000
hostname paranoia patch -- use -relax to skip hostname validation check, parse ambiguous config lines
---
wmbiff/Imap4Client.c | 27 ++++++++++++++++++--------
wmbiff/Makefile.am | 2 +-
wmbiff/Pop3Client.c | 28 ++++++++++++++++++++-------
wmbiff/regulo.c | 12 ++++++++++++
wmbiff/regulo.h | 3 ++-
wmbiff/socket.c | 30 +++++++++++++++++++++++++++--
wmbiff/test_wmbiff.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++-----
wmbiff/wmbiff.c | 15 ++++++++++++++-
8 files changed, 145 insertions(+), 25 deletions(-)
diff --git a/wmbiff/Imap4Client.c b/wmbiff/Imap4Client.c
index 2534f7a..e487f65 100644
--- a/wmbiff/Imap4Client.c
+++ b/wmbiff/Imap4Client.c
@@ -30,9 +30,7 @@
#define PCU (pc->u).pop_imap
-#ifdef __LCLINT__
-void asprintf( /*@out@ */ char **out, char *fmt, ...);
-#endif
+extern int Relax;
#define IMAP_DM(pc, lvl, args...) DM(pc, lvl, "imap4: " args)
@@ -317,9 +315,11 @@ int imap4Create( /*@notnull@ */ Pop3 pc, const char *const str)
{
int i;
int matchedchars;
+ /* special characters aren't allowed in hostnames, rfc 1034 */
const char *regexes[] = {
- ".*imaps?:([^: ]{1,32}):([^@]{0,32})@([^/: ]+)(/(\"[^\"]+\")|([^: ]+))?(:[0-9]+)? *",
- ".*imaps?:([^: ]{1,32}) ([^ ]{1,32}) ([^/: ]+)(/(\"[^\"]+\")|([^: ]+))?( [0-9]+)? *",
+ // type : username : password @ hostname (/ name)?(:port)?
+ ".*imaps?:([^: ]{1,32}):([^@]{0,32})@([A-Za-z][-A-Za-z0-9_.]+)(/(\"[^\"]+\")|([^:@ ]+))?(:[0-9]+)?( *([CcAaPp][-A-Za-z5 ]*))?$",
+ ".*imaps?:([^: ]{1,32}) ([^ ]{1,32}) ([A-Za-z][-A-Za-z0-9_.]+)(/(\"[^\"]+\")|([^: ]+))?( [0-9]+)?( *([CcAaPp][-A-Za-z5 ]*))?$",
NULL
};
char *unaliased_str;
@@ -330,9 +330,17 @@ int imap4Create( /*@notnull@ */ Pop3 pc, const char *const str)
{3, PCU.serverName, regulo_strcpy},
{4, pc->path, regulo_strcpy_skip1},
{7, &PCU.serverPort, regulo_atoi},
+ {9, PCU.authList, regulo_strcpy_tolower},
{0, NULL, NULL}
};
+ if (Relax) {
+ regexes[0] =
+ ".*imaps?:([^: ]{1,32}):([^@]{0,32})@([^/: ]+)(/(\"[^\"]+\")|([^:@ ]+))?(:[0-9]+)?( *(.*))?$";
+ regexes[1] =
+ ".*imaps?:([^: ]{1,32}) ([^ ]{1,32}) ([^/: ]+)(/(\"[^\"]+\")|([^: ]+))?( [0-9]+)?( *(.*))?$";
+ }
+
/* IMAP4 format: imap:user:password at server/mailbox[:port] */
/* If 'str' line is badly formatted, wmbiff won't display the mailbox. */
@@ -360,6 +368,7 @@ int imap4Create( /*@notnull@ */ Pop3 pc, const char *const str)
/* defaults */
PCU.serverPort = (PCU.dossl != 0) ? 993 : 143;
+ PCU.authList[0] = '\0';
/* argh, str and pc->path are aliases, so we can't just write the default
value into the string we're about to parse. */
@@ -374,15 +383,17 @@ int imap4Create( /*@notnull@ */ Pop3 pc, const char *const str)
/* failed to match either regex */
if (matchedchars <= 0) {
pc->label[0] = '\0';
- IMAP_DM(pc, DEBUG_ERROR, "Couldn't parse line %s (%d)\n",
- unaliased_str, matchedchars);
+ IMAP_DM(pc, DEBUG_ERROR, "Couldn't parse line %s (%d)\n"
+ " If this used to work, run wmbiff with the -relax option, and\n"
+ " send mail to wmbiff-devel at lists.sourceforge.net with the hostname\n"
+ " of your mail server.\n", unaliased_str, matchedchars);
return -1;
}
if (PCU.password[0] == '\0')
PCU.interactive_password = 1;
- grab_authList(unaliased_str + matchedchars, PCU.authList);
+ // grab_authList(unaliased_str + matchedchars, PCU.authList);
free(unaliased_str);
diff --git a/wmbiff/Makefile.am b/wmbiff/Makefile.am
index 33333b9..a1856ea 100644
--- a/wmbiff/Makefile.am
+++ b/wmbiff/Makefile.am
@@ -9,7 +9,7 @@ EXTRA_wmbiff_SOURCES = gnutls-common.c gnutls-common.h
wmbiff_LDADD = -L../wmgeneral -lwmgeneral @LIBGCRYPT_LIBS@ @GNUTLS_COMMON_O@
wmbiff_DEPENDENCIES = ../wmgeneral/libwmgeneral.a Makefile @GNUTLS_COMMON_O@
test_wmbiff_SOURCES = ShellClient.c charutil.c charutil.h Client.h \
- test_wmbiff.c passwordMgr.c Imap4Client.c regulo.c
+ test_wmbiff.c passwordMgr.c Imap4Client.c regulo.c Pop3Client.c
test_wmbiff_LDADD = @LIBGCRYPT_LIBS@
man_MANS = wmbiff.1 wmbiffrc.5
skindir = $(datadir)/wmbiff/skins
diff --git a/wmbiff/Pop3Client.c b/wmbiff/Pop3Client.c
index 3439d6a..490dbcf 100644
--- a/wmbiff/Pop3Client.c
+++ b/wmbiff/Pop3Client.c
@@ -1,4 +1,4 @@
-/* $Id: Pop3Client.c,v 1.16 2003/01/19 13:13:04 bluehal Exp $ */
+/* $Id: Pop3Client.c,v 1.17 2003/03/02 02:17:14 bluehal Exp $ */
/* Author : Scott Holden ( scotth at thezone.net )
Modified : Yong-iL Joh ( tolkien at mizi.com )
Modified : Jorge Garc�a ( Jorge.Garcia at uv.es )
@@ -22,6 +22,8 @@
#include <dmalloc.h>
#endif
+extern int Relax;
+
#define PCU (pc->u).pop_imap
#define POP_DM(pc, lvl, args...) DM(pc, lvl, "pop3: " args)
@@ -169,8 +171,10 @@ int pop3Create(Pop3 pc, const char *str)
use of '@' in passwords
*/
const char *regexes[] = {
- "pop3:([^: ]{1,32}) ([^ ]{1,32}) ([^: ]+)( [0-9]+)? *",
- "pop3:([^: ]{1,32}):([^@]{0,32})@([^: ]+)(:[0-9]+)? *",
+ "pop3:([^: ]{1,32}):([^@]{0,32})@([A-Za-z][-A-Za-z0-9_.]+)(:[0-9]+)?( *([CcAaPp][-A-Za-z5 ]*))?$",
+ "pop3:([^: ]{1,32}) ([^ ]{1,32}) ([A-Za-z][-A-Za-z0-9_.]+)( [0-9]+)?( *([CcAaPp][-A-Za-z5 ]*))?$",
+ // "pop3:([^: ]{1,32}) ([^ ]{1,32}) ([^: ]+)( [0-9]+)? *",
+ // "pop3:([^: ]{1,32}):([^@]{0,32})@([^: ]+)(:[0-9]+)? *",
NULL
};
struct regulo regulos[] = {
@@ -178,11 +182,20 @@ int pop3Create(Pop3 pc, const char *str)
{2, PCU.password, regulo_strcpy},
{3, PCU.serverName, regulo_strcpy},
{4, &PCU.serverPort, regulo_atoi},
+ {6, PCU.authList, regulo_strcpy_tolower},
{0, NULL, NULL}
};
+ if (Relax) {
+ regexes[0] =
+ "pop3:([^: ]{1,32}):([^@]{0,32})@([^/: ]+)(:[0-9]+)?( *(.*))?$";
+ regexes[1] =
+ "pop3:([^: ]{1,32}) ([^ ]{1,32}) ([^/: ]+)( [0-9]+)?( *(.*))?$";
+ }
+
/* defaults */
PCU.serverPort = 110;
+ PCU.authList[0] = '\0';
for (matchedchars = 0, i = 0;
regexes[i] != NULL && matchedchars <= 0; i++) {
@@ -192,12 +205,13 @@ int pop3Create(Pop3 pc, const char *str)
/* failed to match either regex */
if (matchedchars <= 0) {
pc->label[0] = '\0';
- POP_DM(pc, DEBUG_ERROR, "Couldn't parse line %s (%d)\n", str,
- matchedchars);
+ POP_DM(pc, DEBUG_ERROR, "Couldn't parse line %s (%d)\n"
+ " If this used to work, run wmbiff with the -relax option, and\n "
+ " send mail to wmbiff-devel at lists.sourceforge.net with the hostname\n"
+ " of your mail server.\n", str, matchedchars);
return -1;
}
-
- grab_authList(str + matchedchars, PCU.authList);
+ // grab_authList(str + matchedchars, PCU.authList);
POP_DM(pc, DEBUG_INFO, "userName= '%s'\n", PCU.userName);
POP_DM(pc, DEBUG_INFO, "password is %d chars long\n",
diff --git a/wmbiff/regulo.c b/wmbiff/regulo.c
index 9edeca6..6b6342b 100644
--- a/wmbiff/regulo.c
+++ b/wmbiff/regulo.c
@@ -28,6 +28,14 @@ void regulo_strcpy(void *dest, const char *source)
{
strcpy((char *) dest, source);
}
+void regulo_strcpy_tolower(void *dest, const char *source)
+{
+ unsigned int i;
+ for (i = 0; i < strlen(source); i++) {
+ ((char *) dest)[i] = tolower(source[i]);
+ }
+ ((char *) dest)[i] = '\0';
+}
void regulo_strcpy_skip1(void *dest, const char *source)
{
strcpy((char *) dest, source + 1);
@@ -47,6 +55,8 @@ int regulo_match(const char *regex,
matchedchars = compile_and_match_regex(regex, string, ®s);
if (matchedchars <= 0)
return 0;
+ if (instructions == NULL)
+ return 1;
for (i = 0; instructions[i].match_handler != NULL; i++) {
char buf[255];
int j = instructions[i].match_index;
@@ -99,6 +109,8 @@ int regulo_match(const char *regex,
matchedchars = compile_and_match_regex_posix(regex, string, regs, 20);
if (matchedchars <= 0)
return 0;
+ if (instructions == NULL)
+ return 1;
for (i = 0; instructions[i].match_handler != NULL; i++) {
char buf[255];
int j = instructions[i].match_index;
diff --git a/wmbiff/regulo.h b/wmbiff/regulo.h
index 6f80073..4bce791 100644
--- a/wmbiff/regulo.h
+++ b/wmbiff/regulo.h
@@ -1,10 +1,11 @@
-/* $Id: regulo.h,v 1.1 2003/01/19 13:12:02 bluehal Exp $ */
+/* $Id: regulo.h,v 1.2 2003/03/02 02:17:14 bluehal Exp $ */
/* regulo, (pronounced as if the name of a super-hero) added
by Neil Spring to provide a portable interface to regular
expressions that doesn't suck. */
void regulo_atoi(void *dest_int, const char *source);
void regulo_strcpy(void *dest, const char *source);
+void regulo_strcpy_tolower(void *dest, const char *source);
void regulo_strcpy_skip1(void *dest, const char *source);
struct regulo {
int match_index;
diff --git a/wmbiff/socket.c b/wmbiff/socket.c
index c64ea3a..6e3bde7 100644
--- a/wmbiff/socket.c
+++ b/wmbiff/socket.c
@@ -1,4 +1,4 @@
-/* $Id: socket.c,v 1.7 2002/06/08 21:40:04 bluehal Exp $ */
+/* $Id: socket.c,v 1.8 2003/03/02 02:17:14 bluehal Exp $ */
/* Copyright (C) 1998 Trent Piepho <xyzzy at u.washington.edu>
* (C) 1999 Trent Piepho <xyzzy at speakeasy.org>
*
@@ -30,18 +30,28 @@
#include <string.h>
#include <netdb.h>
#include <stdio.h>
+#include "regulo.h"
#ifdef USE_DMALLOC
#include <dmalloc.h>
#endif
+/* be paranoid about leaking passwords as hostnames, enough
+ that we'll avoid attempting lookups on things that aren't
+ host names */
+extern int Relax;
+static int sanity_check_hostname(const char *hostname)
+{
+ return (Relax
+ || regulo_match("^[A-Za-z][-_A-Za-z0-9.]+$", hostname, NULL));
+}
+
/* nspring/blueHal, 10 Apr 2002; added some extra error
printing, in line with the debug-messages-to-stdout
philosophy of the rest of the wmbiff code */
/* 1 June 2002; incorporated IPv6 support by
Jun-ichiro itojun Hagino <itojun at iijlab.net>, thanks! */
-
int sock_connect(const char *hostname, int port)
{
#ifdef HAVE_GETADDRINFO
@@ -50,6 +60,14 @@ int sock_connect(const char *hostname, int port)
char pbuf[NI_MAXSERV];
int error;
+ if (!sanity_check_hostname(hostname)) {
+ printf
+ ("socket/connect to '%s' aborted: it does not appear to be a valid hostname\n",
+ hostname);
+ printf("if you really want this, use wmbiff's -relax option.\n");
+ return -1;
+ }
+
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_STREAM;
snprintf(pbuf, sizeof(pbuf), "%d", port);
@@ -85,6 +103,14 @@ int sock_connect(const char *hostname, int port)
struct sockaddr_in addr;
int fd, i;
+ if (!sanity_check_hostname(hostname)) {
+ printf
+ ("socket/connect to '%s' aborted: it does not appear to be a valid hostname\n",
+ hostname);
+ printf("if you really want this, use wmbiff's -relax option.\n");
+ return -1;
+ }
+
host = gethostbyname(hostname);
if (host == NULL) {
herror("gethostbyname");
diff --git a/wmbiff/test_wmbiff.c b/wmbiff/test_wmbiff.c
index eba6057..a8b0e6a 100644
--- a/wmbiff/test_wmbiff.c
+++ b/wmbiff/test_wmbiff.c
@@ -12,6 +12,7 @@
#include "passwordMgr.h"
int debug_default = DEBUG_INFO;
+int Relax = 1;
/* return 1 if fail, 0 if success */
int test_backtickExpand(void) {
@@ -201,6 +202,36 @@ int test_imap4creator(void) {
CKINT(m.u.pop_imap.serverPort, 12);
CKSTRING(m.u.pop_imap.authList, "auth");
+ if(imap4Create(&m, "imap:foo:@bar/\"mybox\":12 cram-md5 plaintext")) {
+ return 1;
+ }
+ CKSTRING(m.u.pop_imap.authList, "cram-md5 plaintext");
+
+ if(imap4Create(&m, "imap:foo:@bar/\"mybox\":12 CRAm-md5 plainTEXt")) {
+ return 1;
+ }
+ CKSTRING(m.u.pop_imap.authList, "cram-md5 plaintext");
+
+
+ if(pop3Create(&m, "pop3:foo:@bar:12 cram-md5 plaintext")) {
+ return 1;
+ }
+ CKSTRING(m.u.pop_imap.authList, "cram-md5 plaintext");
+
+ /* should not parse this; it is ambiguous. */
+ if( ! imap4Create(&m, "imap:foo:mi at ta@bar/mybox") && !Relax ) {
+ return 1;
+ }
+
+ /* should not parse this; it is ambiguous. */
+ if( ! imap4Create(&m, "imap:user pa ss bar/\"space box\" 12") && !Relax) {
+ return 1;
+ }
+
+ /* should not parse this; it is ambiguous. */
+ if( ! pop3Create(&m, "pop3:user pa ss bar 12") && ! Relax) {
+ return 1;
+ }
return 0;
}
@@ -215,15 +246,27 @@ int sock_connect(UNUSED(const char *n), UNUSED(int p)) { return 1; } /* stdout *
void initialize_unencrypted(void) { }
int main(UNUSED(int argc), UNUSED(char *argv[])) {
+
if( test_backtickExpand() ||
- test_passwordMgr() ||
- test_imap4creator()) {
+ test_passwordMgr()) {
+ printf("SOME TESTS FAILED!\n");
+ exit(EXIT_FAILURE);
+ }
+
+ Relax = 0;
+ if( test_imap4creator() ) {
+ printf("SOME TESTS FAILED!\n");
+ exit(EXIT_FAILURE);
+ }
+
+ Relax = 1;
+ if( test_imap4creator() ) {
printf("SOME TESTS FAILED!\n");
exit(EXIT_FAILURE);
- } else {
- printf("Success! on all tests.\n");
- exit(EXIT_SUCCESS);
}
+
+ printf("Success! on all tests.\n");
+ exit(EXIT_SUCCESS);
}
/* vim:set ts=4: */
diff --git a/wmbiff/wmbiff.c b/wmbiff/wmbiff.c
index f4abf57..b13783f 100644
--- a/wmbiff/wmbiff.c
+++ b/wmbiff/wmbiff.c
@@ -1,4 +1,4 @@
-/* $Id: wmbiff.c,v 1.49 2003/03/02 01:04:23 bluehal Exp $ */
+/* $Id: wmbiff.c,v 1.50 2003/03/02 02:17:15 bluehal Exp $ */
#ifdef HAVE_CONFIG_H
#include <config.h>
@@ -76,6 +76,7 @@ int debug_default = DEBUG_ERROR;
static const char *foreground = "#21B3AF";
static const char *highlight = "yellow";
int SkipCertificateCheck = 0;
+int Relax = 0; /* be not paranoid */
static int notWithdrawn = 0;
static unsigned int num_mailboxes = 1;
@@ -1020,6 +1021,9 @@ static void usage(void)
" -skip-certificate-check using TLS, don't validate the\n"
" server's certificate\n"
#endif
+ " -relax assume the configuration is \n"
+ " correct, parse it without paranoia, \n"
+ " and assume hostnames are okay.\n"
" -v print the version number\n"
" +w not withdrawn: run as a window\n"
"\n", PACKAGE_VERSION, PACKAGE_BUGREPORT);
@@ -1118,6 +1122,15 @@ static void parse_cmd(int argc, const char **argv, /*@out@ */
}
break;
+ case 'r':
+ if (strcmp(arg + 1, "relax") == 0) {
+ Relax = 1;
+ } else {
+ usage();
+ exit(EXIT_SUCCESS);
+ }
+
+ break;
case 'c':
if (argc > (i + 1)) {
strncpy(config_file, argv[i + 1], 255);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git
More information about the Pkg-wmaker-commits
mailing list