ef3261
# HG changeset patch
ef3261
# User Rocco Rutte <pdmef@gmx.net>
ef3261
# Date 1194196465 -3600
ef3261
# Branch HEAD
ef3261
# Node ID 6248b3c04f61fcbd447bed96030cb7a4887b69b6
ef3261
# Parent  2157b46eb93823e5c38136fe49c9b16c1475f27b
ef3261
Prevent mailto parsing buffer overflow by ignoring too long header.
ef3261
If they're longer than our buffer, we can't turn it into a header to
ef3261
be parsed by mutt_parse_rfc822_line() anyway, so we bail out in this
ef3261
case. Also make main() catchup mailto parsing errors. Closes #2980.
ef3261
ef3261
diff -r 2157b46eb938 -r 6248b3c04f61 main.c
ef3261
--- a/main.c	Sun Nov 04 17:02:56 2007 +0100
ef3261
+++ b/main.c	Sun Nov 04 18:14:25 2007 +0100
ef3261
@@ -829,7 +829,15 @@ int main (int argc, char **argv)
ef3261
       for (i = optind; i < argc; i++)
ef3261
       {
ef3261
 	if (url_check_scheme (argv[i]) == U_MAILTO)
ef3261
-	  url_parse_mailto (msg->env, &bodytext, argv[i]);
ef3261
+	{
ef3261
+	  if (url_parse_mailto (msg->env, &bodytext, argv[i]) < 0)
ef3261
+	  {
ef3261
+	    if (!option (OPTNOCURSES))
ef3261
+	      mutt_endwin (NULL);
ef3261
+	    fputs (_("Failed to parse mailto: link\n"), stderr);
ef3261
+	    exit (1);
ef3261
+	  }
ef3261
+	}
ef3261
 	else
ef3261
 	  msg->env->to = rfc822_parse_adrlist (msg->env->to, argv[i]);
ef3261
       }
ef3261
diff -r 2157b46eb938 -r 6248b3c04f61 url.c
ef3261
--- a/url.c	Sun Nov 04 17:02:56 2007 +0100
ef3261
+++ b/url.c	Sun Nov 04 18:14:25 2007 +0100
ef3261
@@ -217,7 +217,7 @@ int url_parse_mailto (ENVELOPE *e, char 
ef3261
   char *tag, *value;
ef3261
   char scratch[HUGE_STRING];
ef3261
 
ef3261
-  int taglen;
ef3261
+  int taglen, rc = 0;
ef3261
 
ef3261
   LIST *last = NULL;
ef3261
   
ef3261
@@ -250,19 +250,25 @@ int url_parse_mailto (ENVELOPE *e, char 
ef3261
       if (body)
ef3261
 	mutt_str_replace (body, value);
ef3261
     }
ef3261
-    else 
ef3261
-    {
ef3261
-      taglen = strlen (tag);
ef3261
-      /* mutt_parse_rfc822_line makes some assumptions */
ef3261
+    else if ((taglen = mutt_strlen (tag)) <= sizeof (scratch) - 2)
ef3261
+    {
ef3261
+      /* only try to parse if we can format it as header for
ef3261
+       * mutt_parse_rfc822_line (tag fits in scratch) */
ef3261
       snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);
ef3261
       scratch[taglen] = '\0';
ef3261
       value = &scratch[taglen+1];
ef3261
       SKIPWS (value);
ef3261
       mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last);
ef3261
     }
ef3261
-  }
ef3261
-  
ef3261
+    else
ef3261
+    {
ef3261
+      rc = -1;
ef3261
+      goto out;
ef3261
+    }
ef3261
+  }
ef3261
+
ef3261
+out:
ef3261
   FREE (&tmp);
ef3261
-  return 0;
ef3261
-}
ef3261
-
ef3261
+  return rc;
ef3261
+}
ef3261
+
ef3261
# HG changeset patch
ef3261
# User cypher@conuropsis.org
ef3261
# Date 1194197244 -3600
ef3261
# Branch HEAD
ef3261
# Node ID ab676b9f0c040644f27c1fb862a7d67171c553c7
ef3261
# Parent  6248b3c04f61fcbd447bed96030cb7a4887b69b6
ef3261
Use strtok_r() to parse mailto: links, not strtok().
ef3261
In case a headers needs to call mutt_parse_references() which uses
ef3261
strtok(), too, later headers will be silently discarded. Closes #2968.
ef3261
ef3261
diff -r 6248b3c04f61 -r ab676b9f0c04 url.c
ef3261
--- a/url.c	Sun Nov 04 18:14:25 2007 +0100
ef3261
+++ b/url.c	Sun Nov 04 18:27:24 2007 +0100
ef3261
@@ -211,7 +211,7 @@ int url_ciss_tostring (ciss_url_t* ciss,
ef3261
 
ef3261
 int url_parse_mailto (ENVELOPE *e, char **body, const char *src)
ef3261
 {
ef3261
-  char *t;
ef3261
+  char *t, *p;
ef3261
   char *tmp;
ef3261
   char *headers;
ef3261
   char *tag, *value;
ef3261
@@ -233,9 +233,9 @@ int url_parse_mailto (ENVELOPE *e, char 
ef3261
   url_pct_decode (tmp);
ef3261
   e->to = rfc822_parse_adrlist (e->to, tmp);
ef3261
 
ef3261
-  tag = headers ? strtok (headers, "&") : NULL;
ef3261
-  
ef3261
-  for (; tag; tag = strtok (NULL, "&"))
ef3261
+  tag = headers ? strtok_r (headers, "&", &p) : NULL;
ef3261
+  
ef3261
+  for (; tag; tag = strtok_r (NULL, "&", &p))
ef3261
   {
ef3261
     if ((value = strchr (tag, '=')))
ef3261
       *value++ = '\0';