mirror of
https://git.yoctoproject.org/poky
synced 2026-03-10 17:29:40 +01:00
3a82461fad
Backport fixes for : CVE-2024-24784 - Upstream-Status: Backport from5330cd225bCVE-2024-24785 - Upstream-Status: Backport from056b0edcb8(From OE-Core rev: 408f86a5268cadd680f45e2d934451a321241706) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
208 lines
6.5 KiB
Diff
208 lines
6.5 KiB
Diff
From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
|
|
From: Roland Shoemaker <bracewell@google.com>
|
|
Date: Wed, 10 Jan 2024 11:02:14 -0800
|
|
Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
|
|
characters in phrase and obs-phrase
|
|
|
|
Fixes a couple of misalignments with RFC 5322 which introduce
|
|
significant diffs between (mostly) conformant parsers.
|
|
|
|
This change reverts the changes made in CL50911, which allowed certain
|
|
special RFC 5322 characters to appear unquoted in the "phrase" syntax.
|
|
It is unclear why this change was made in the first place, and created
|
|
a divergence from comformant parsers. In particular this resulted in
|
|
treating comments in display names incorrectly.
|
|
|
|
Additionally properly handle trailing malformed comments in the group
|
|
syntax.
|
|
|
|
For #65083
|
|
Fixed #65849
|
|
|
|
Change-Id: I00dddc044c6ae3381154e43236632604c390f672
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
|
|
Reviewed-by: Damien Neil <dneil@google.com>
|
|
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
|
|
Reviewed-by: Carlos Amedee <carlos@golang.org>
|
|
|
|
Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
|
|
CVE: CVE-2024-24784
|
|
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
|
|
---
|
|
src/net/mail/message.go | 30 +++++++++++++++------------
|
|
src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
|
|
2 files changed, 46 insertions(+), 24 deletions(-)
|
|
|
|
diff --git a/src/net/mail/message.go b/src/net/mail/message.go
|
|
index 47bbf6c..84f48f0 100644
|
|
--- a/src/net/mail/message.go
|
|
+++ b/src/net/mail/message.go
|
|
@@ -231,7 +231,7 @@ func (a *Address) String() string {
|
|
// Add quotes if needed
|
|
quoteLocal := false
|
|
for i, r := range local {
|
|
- if isAtext(r, false, false) {
|
|
+ if isAtext(r, false) {
|
|
continue
|
|
}
|
|
if r == '.' {
|
|
@@ -395,7 +395,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
|
|
if !p.consume('<') {
|
|
atext := true
|
|
for _, r := range displayName {
|
|
- if !isAtext(r, true, false) {
|
|
+ if !isAtext(r, true) {
|
|
atext = false
|
|
break
|
|
}
|
|
@@ -430,7 +430,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
|
|
// handle empty group.
|
|
p.skipSpace()
|
|
if p.consume(';') {
|
|
- p.skipCFWS()
|
|
+ if !p.skipCFWS() {
|
|
+ return nil, errors.New("mail: misformatted parenthetical comment")
|
|
+ }
|
|
return group, nil
|
|
}
|
|
|
|
@@ -447,7 +449,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
|
|
return nil, errors.New("mail: misformatted parenthetical comment")
|
|
}
|
|
if p.consume(';') {
|
|
- p.skipCFWS()
|
|
+ if !p.skipCFWS() {
|
|
+ return nil, errors.New("mail: misformatted parenthetical comment")
|
|
+ }
|
|
break
|
|
}
|
|
if !p.consume(',') {
|
|
@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
|
|
var words []string
|
|
var isPrevEncoded bool
|
|
for {
|
|
+ // obs-phrase allows CFWS after one word
|
|
+ if len(words) > 0 {
|
|
+ if !p.skipCFWS() {
|
|
+ return "", errors.New("mail: misformatted parenthetical comment")
|
|
+ }
|
|
+ }
|
|
// word = atom / quoted-string
|
|
var word string
|
|
p.skipSpace()
|
|
@@ -612,7 +622,6 @@ Loop:
|
|
// If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
|
|
// If permissive is true, consumeAtom will not fail on:
|
|
// - leading/trailing/double dots in the atom (see golang.org/issue/4938)
|
|
-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
|
|
func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
|
|
i := 0
|
|
|
|
@@ -623,7 +632,7 @@ Loop:
|
|
case size == 1 && r == utf8.RuneError:
|
|
return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
|
|
|
|
- case size == 0 || !isAtext(r, dot, permissive):
|
|
+ case size == 0 || !isAtext(r, dot):
|
|
break Loop
|
|
|
|
default:
|
|
@@ -777,18 +786,13 @@ func (e charsetError) Error() string {
|
|
|
|
// isAtext reports whether r is an RFC 5322 atext character.
|
|
// If dot is true, period is included.
|
|
-// If permissive is true, RFC 5322 3.2.3 specials is included,
|
|
-// except '<', '>', ':' and '"'.
|
|
-func isAtext(r rune, dot, permissive bool) bool {
|
|
+func isAtext(r rune, dot bool) bool {
|
|
switch r {
|
|
case '.':
|
|
return dot
|
|
|
|
// RFC 5322 3.2.3. specials
|
|
- case '(', ')', '[', ']', ';', '@', '\\', ',':
|
|
- return permissive
|
|
-
|
|
- case '<', '>', '"', ':':
|
|
+ case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
|
|
return false
|
|
}
|
|
return isVchar(r)
|
|
diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
|
|
index 80a17b2..00bc93e 100644
|
|
--- a/src/net/mail/message_test.go
|
|
+++ b/src/net/mail/message_test.go
|
|
@@ -334,8 +334,11 @@ func TestAddressParsingError(t *testing.T) {
|
|
13: {"group not closed: null@example.com", "expected comma"},
|
|
14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
|
|
15: {"john.doe", "missing '@' or angle-addr"},
|
|
- 16: {"john.doe@", "no angle-addr"},
|
|
+ 16: {"john.doe@", "missing '@' or angle-addr"},
|
|
17: {"John Doe@foo.bar", "no angle-addr"},
|
|
+ 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
|
|
+ 19: {" group: ; (asd", "misformatted parenthetical comment"},
|
|
+ 20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
|
|
}
|
|
|
|
for i, tc := range mustErrTestCases {
|
|
@@ -374,24 +377,19 @@ func TestAddressParsing(t *testing.T) {
|
|
Address: "john.q.public@example.com",
|
|
}},
|
|
},
|
|
- {
|
|
- `"John (middle) Doe" <jdoe@machine.example>`,
|
|
- []*Address{{
|
|
- Name: "John (middle) Doe",
|
|
- Address: "jdoe@machine.example",
|
|
- }},
|
|
- },
|
|
+ // Comment in display name
|
|
{
|
|
`John (middle) Doe <jdoe@machine.example>`,
|
|
[]*Address{{
|
|
- Name: "John (middle) Doe",
|
|
+ Name: "John Doe",
|
|
Address: "jdoe@machine.example",
|
|
}},
|
|
},
|
|
+ // Display name is quoted string, so comment is not a comment
|
|
{
|
|
- `John !@M@! Doe <jdoe@machine.example>`,
|
|
+ `"John (middle) Doe" <jdoe@machine.example>`,
|
|
[]*Address{{
|
|
- Name: "John !@M@! Doe",
|
|
+ Name: "John (middle) Doe",
|
|
Address: "jdoe@machine.example",
|
|
}},
|
|
},
|
|
@@ -726,6 +724,26 @@ func TestAddressParsing(t *testing.T) {
|
|
},
|
|
},
|
|
},
|
|
+ // Comment in group display name
|
|
+ {
|
|
+ `group (comment:): a@example.com, b@example.com;`,
|
|
+ []*Address{
|
|
+ {
|
|
+ Address: "a@example.com",
|
|
+ },
|
|
+ {
|
|
+ Address: "b@example.com",
|
|
+ },
|
|
+ },
|
|
+ },
|
|
+ {
|
|
+ `x(:"):"@a.example;("@b.example;`,
|
|
+ []*Address{
|
|
+ {
|
|
+ Address: `@a.example;(@b.example`,
|
|
+ },
|
|
+ },
|
|
+ },
|
|
}
|
|
for _, test := range tests {
|
|
if len(test.exp) == 1 {
|
|
--
|
|
2.39.3
|