dovecot-2.0-pigeonhole: lib-sieve: include extension: forgot to ...
pigeonhole at rename-it.nl
pigeonhole at rename-it.nl
Tue Jul 5 21:32:50 EEST 2011
details: http://hg.rename-it.nl/dovecot-2.0-pigeonhole/rev/08bbe5872576
changeset: 1514:08bbe5872576
user: Stephan Bosch <stephan at rename-it.nl>
date: Tue Jul 05 20:32:28 2011 +0200
description:
lib-sieve: include extension: forgot to check variable identifier syntax.
diffstat:
src/lib-sieve/plugins/include/cmd-global.c | 4 +-
src/lib-sieve/plugins/include/ext-include-variables.c | 9 +++
src/lib-sieve/plugins/variables/ext-variables-arguments.c | 10 +-
src/lib-sieve/plugins/variables/ext-variables-name.c | 50 ++++++++++++----
src/lib-sieve/plugins/variables/sieve-ext-variables.h | 2 +
tests/extensions/include/rfc-ex2-default.sieve | 2 +-
6 files changed, 57 insertions(+), 20 deletions(-)
diffs (193 lines):
diff -r e9bb226739cb -r 08bbe5872576 src/lib-sieve/plugins/include/cmd-global.c
--- a/src/lib-sieve/plugins/include/cmd-global.c Sat Jul 02 23:58:01 2011 +0200
+++ b/src/lib-sieve/plugins/include/cmd-global.c Tue Jul 05 20:32:28 2011 +0200
@@ -174,13 +174,13 @@
sieve_ast_argument_name(arg));
return FALSE;
}
-
+
/* Join global commands with predecessors if possible */
if ( sieve_commands_equal(prev, cmd) ) {
/* Join this command's string list with the previous one */
prev->first_positional = sieve_ast_stringlist_join
(prev->first_positional, cmd->first_positional);
-
+
if ( prev->first_positional == NULL ) {
/* Not going to happen unless MAXINT stringlist items are specified */
sieve_command_validate_error(valdtr, cmd,
diff -r e9bb226739cb -r 08bbe5872576 src/lib-sieve/plugins/include/ext-include-variables.c
--- a/src/lib-sieve/plugins/include/ext-include-variables.c Sat Jul 02 23:58:01 2011 +0200
+++ b/src/lib-sieve/plugins/include/ext-include-variables.c Tue Jul 05 20:32:28 2011 +0200
@@ -1,6 +1,9 @@
/* Copyright (c) 2002-2011 Pigeonhole authors, see the included COPYING file
*/
+#include "lib.h"
+#include "str-sanitize.h"
+
#include "sieve-common.h"
#include "sieve-error.h"
#include "sieve-script.h"
@@ -38,6 +41,12 @@
/* Sanity safeguard */
i_assert ( ctx->global_vars != NULL );
+ if ( !sieve_variable_identifier_is_valid(variable) ) {
+ sieve_command_validate_error(valdtr, cmd,
+ "invalid variable identifier '%s'", str_sanitize(variable,80));
+ return NULL;
+ }
+
/* Get/Declare the variable in the global scope */
global_var = sieve_variable_scope_get_variable(global_scope, variable, TRUE);
diff -r e9bb226739cb -r 08bbe5872576 src/lib-sieve/plugins/variables/ext-variables-arguments.c
--- a/src/lib-sieve/plugins/variables/ext-variables-arguments.c Sat Jul 02 23:58:01 2011 +0200
+++ b/src/lib-sieve/plugins/variables/ext-variables-arguments.c Tue Jul 05 20:32:28 2011 +0200
@@ -343,19 +343,19 @@
bool result = FALSE;
string_t *variable;
const char *varstr, *varend;
- ARRAY_TYPE(sieve_variable_name) vname;
+ ARRAY_TYPE(sieve_variable_name) vname;
int nelements = 0;
T_BEGIN {
- t_array_init(&vname, 2);
-
+ t_array_init(&vname, 2);
+
variable = sieve_ast_argument_str(arg);
varstr = str_c(variable);
varend = PTR_OFFSET(varstr, str_len(variable));
nelements = ext_variable_name_parse(&vname, &varstr, varend);
- /* Check whether name parsing succeeded */
- if ( nelements < 0 || varstr != varend ) {
+ /* Check whether name parsing succeeded */
+ if ( nelements <= 0 || varstr != varend ) {
/* Parse failed */
sieve_argument_validate_error(valdtr, arg,
"invalid variable name '%s'", str_sanitize(str_c(variable),80));
diff -r e9bb226739cb -r 08bbe5872576 src/lib-sieve/plugins/variables/ext-variables-name.c
--- a/src/lib-sieve/plugins/variables/ext-variables-name.c Sat Jul 02 23:58:01 2011 +0200
+++ b/src/lib-sieve/plugins/variables/ext-variables-name.c Tue Jul 05 20:32:28 2011 +0200
@@ -13,14 +13,36 @@
#include <ctype.h>
+bool sieve_variable_identifier_is_valid(const char *identifier)
+{
+ const char *p = identifier;
+ size_t plen = strlen(identifier);
+ const char *pend;
+
+ if ( plen == 0 || plen >= EXT_VARIABLES_MAX_VARIABLE_NAME_LEN )
+ return FALSE;
+
+ pend = PTR_OFFSET(identifier, plen);
+
+ if ( *p == '_' || i_isalpha(*p) ) {
+ p++;
+
+ while ( p < pend && (*p == '_' || i_isalnum(*p)) ) {
+ p++;
+ }
+ }
+
+ return ( p == pend );
+}
+
int ext_variable_name_parse
(ARRAY_TYPE(sieve_variable_name) *vname, const char **str, const char *strend)
{
const char *p = *str;
-
+
array_clear(vname);
- for (;;) {
+ while ( p < strend ) {
struct sieve_variable_name *cur_element;
string_t *cur_ident;
@@ -40,23 +62,23 @@
str_truncate(cur_ident, 0);
str_append_c(cur_ident, *p);
p++;
-
+
while ( p < strend && (*p == '_' || i_isalnum(*p)) ) {
if ( str_len(cur_ident) >= EXT_VARIABLES_MAX_VARIABLE_NAME_LEN )
return -1;
str_append_c(cur_ident, *p);
p++;
}
-
+
/* Num-variable */
} else if ( i_isdigit(*p) ) {
cur_element->num_variable = *p - '0';
p++;
-
+
while ( p < strend && i_isdigit(*p) ) {
cur_element->num_variable = cur_element->num_variable*10 + (*p - '0');
p++;
- }
+ }
/* If a num-variable is first, no more elements can follow because no
* namespace is specified.
@@ -69,16 +91,20 @@
*str = p;
return -1;
}
-
+
/* Check whether next name element is present */
- if ( p < strend && *p == '.' )
+ if ( p < strend && *p == '.' ) {
p++;
- else
+
+ /* It may not be empty */
+ if ( p >= strend )
+ return -1;
+ } else
break;
}
-
+
*str = p;
return array_count(vname);
-}
-
+}
+
diff -r e9bb226739cb -r 08bbe5872576 src/lib-sieve/plugins/variables/sieve-ext-variables.h
--- a/src/lib-sieve/plugins/variables/sieve-ext-variables.h Sat Jul 02 23:58:01 2011 +0200
+++ b/src/lib-sieve/plugins/variables/sieve-ext-variables.h Tue Jul 05 20:32:28 2011 +0200
@@ -46,6 +46,8 @@
ARRAY_DEFINE_TYPE(sieve_variable_name, struct sieve_variable_name);
+bool sieve_variable_identifier_is_valid(const char *identifier);
+
/*
* Variable scope
*/
diff -r e9bb226739cb -r 08bbe5872576 tests/extensions/include/rfc-ex2-default.sieve
--- a/tests/extensions/include/rfc-ex2-default.sieve Sat Jul 02 23:58:01 2011 +0200
+++ b/tests/extensions/include/rfc-ex2-default.sieve Tue Jul 05 20:32:28 2011 +0200
@@ -1,6 +1,6 @@
require ["variables", "include", "relational", "fileinto"];
global "test";
-global "test-mailbox";
+global "test_mailbox";
# The included script may contain repetitive code that is
# effectively a subroutine that can be factored out.
More information about the dovecot-cvs
mailing list