Home | History | Annotate | Download | only in mail
History log of /src/usr.bin/mail/fio.c
RevisionDateAuthorComments
 1.45  23-Aug-2023  rin mail: Fix regression for recent use-after-free fix

For makemessage(), do not skip thread_fix_old_links() for
newly-allocated message as before.

Thanks jun@ for report.
 1.44  10-Aug-2023  mrg avoid various use-after-free issues.

create a ptrdiff_t offset between the start of an allocation region and
some interesting pointer, so it can be adjusted with this offset after
realloc() returns. for pdisk(), realloc() is a locally inlind malloc()
and free() pair.

for mail(1), this required a little bit more effort as the old pointer
was passed into another file for fix-ups there, and that code needed to
be adjusted for offset vs old pointer usage.

found by GCC 12.
 1.43  09-Nov-2017  christos Only open regular files.
 1.42  10-Jan-2015  christos fix incorrect arg size computation
 1.41  16-Dec-2014  christos Fix various security related issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.

Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.

Added expandaddr option to explicitly enable this behavior.

0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.

Fixed.

0003. Make wordexp support mandatory. (No functional change.)

Fixed (replaced explicit shell pipe implementation).

0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:

Fixed (as part of the pipe replacement with wordexp).
 1.40  09-Mar-2013  christos branches: 1.40.8;
undo previous; mail never expanded $ variables in folder.
 1.39  06-Mar-2013  christos since we are calling realpath() earlier now, we need to expand the name
of the folder in case it contained variables like $HOME.
 1.38  20-Feb-2013  christos PR/47577: Steffen "Daode" Nurpmeso: Refinement to previous to keep always
keep track of the folder when it is updated.
 1.37  19-Feb-2013  christos PR/47577: Steffen "Daode" Nurpmeso: Keep a resolved folder name together
with a display name in order to keep track of current state when the directory
is changed.
 1.36  21-Oct-2012  christos consistently use warn
 1.35  29-Apr-2012  christos branches: 1.35.2;
set close on exec for all opened files.
 1.34  12-Jan-2010  christos branches: 1.34.6;
error message cleanup
- 1 -> EXIT_FAILURE
- fprintf(stderr, -> warnx(
- better warning messages
 1.33  11-Apr-2009  christos - magic fix for short files
- knf
from Anon Ymous
 1.32  10-Apr-2009  christos From Anon Ymous:

- Remove all longjmp(3) calls from signal handlers. Instead, we post
to an internal signal queue and check that periodically. All signal
related code is now in sig.c, except for the SIGCHLD handler which
remains in popen.c as it is intimately tied to routines there.

- Handle SIGPIPE in type1() regardless of mime support, or else the
handler in execute() will prevent our error code from being returned
resulting in 'sawcom' not being set on the first command as it should.
This only affected the initial behavior of the "next" command without
mime support.

- Add the 'T' flag to many commands in cmdtab.c that should not look
like the first command. E.g., start mail on a mailbox with multiple
messages, run "set foo", then "next", and watch the second message get
displayed rather than the first as is the case without the first "set"
command.

- Add file descriptor and file handle leak detection. Enabled by
DEBUG_FILE_LEAK. This will likely disappear in the future.

- Fix a long standing (since import in 1993) longjmp() bug in
edstop(): the jmpbuf was invalid when quit() is called at the end of
main.

- Fix a long standing bug (since import in 1993) in snarf() where it
didn't strip whitespace correctly if the line consisted only of
whitespace.

- Lint cleanup.

- New Feature: "Header" command. This allows miscellaneous header
fields to be added to the header, e.g., "X-Organization:" or
"Reply-To:" fields.

- New Feature: "page-also" variable. This allows the specification of
additional commands to page. It is more flexible than "crt".

- Document the "pager-off" variable: if set, it disables paging
entirely.
 1.31  29-Oct-2007  christos branches: 1.31.14;
From Anon Ymous:
knf changes:
- s/sizeof x/sizeof(x)/.
- remove unnecessary malloc typecasts.
- whitespace nits.
 1.30  23-Oct-2007  christos From Anon Ymous:
- Introduce date_to_tm() and hl_date_to_tm() to parse the date and
headline date a bit more efficiently.
- If 'tm_isdst' is determined, let strftime(3) handle the '%Z' and
'%z' formats. Otherwise, output "-0000" and "???", respectively, to
help preserve with alignment; strftime(3) will output an empty
string in these case.
- Change fail() to use the '-d' flag (which sets the 'debug' variable)
rather than the "debug" _environment_ variable. This is more
consistent with other warnings.
- Don't use gcc C extensions, e.g., "case LOW ... HIGH:".
- Define is_WSP() in def.h to be an inline function that for checks
whitespace (WSP = ' ' or '\t'), as defined in RFC 2822. Use it
consistently in place of isblank().
- For consistency, rename skip_blank() to skip_WSP().
- Add inline skip_space() to complement skip_blank() (now skip_WSP).
- Check all ctype(3) calls for argument range issues.
- Whitespace and comment cleanup/changes.
 1.29  22-Aug-2007  dogcow branches: 1.29.2;
A prophylactic patch: change offsetof -> blkoffsetof
 1.28  28-Nov-2006  christos From Anon Ymous:

1) Statification of modules.

2) Implement the 'detach' and 'Detach' commands for extracting mime
parts from messages.

3) Teach mail to output "In-Reply-To" and "References" header fields
when replying so others can thread us.

4) Implement threading, sorting, and tagging, supported by the
following commands: 'flatten', 'reverse', 'sort', 'thread',
'unthread', 'down', 'tset', 'up', 'expose', 'hide', 'tag',
'untag', 'invtags', 'tagbelow', 'hidetags', 'showtags'.
See the manpage for details (when available - soon).

5) Implement a 'deldups' command to delete duplicate messages based on
their "Message-Id" field, e.g., in replies to a mailing list that
are also CCed to a subscriber. (This can also be accomplished with
the threading and tagging commands.)

6) Implement 'ifdef' and 'ifndef' commands, and make the conditionals
nestable (i.e., implement a conditional stack). The if/else/endif
commands existed before, but they were primitive and undocumented.
The 'if' command currently recognizes the "receiving", "sending",
and "headersonly" mode keywords.

7) Teach the message selecting routine to understand regular
expressions if "regex-search" is defined. Otherwise only case
insensitive substring matches are done (as in the past).

8) Teach the message selection routine to understand boolean
expressions. Improved "colon-modifier" support. See the manpage
for details (when available - soon).

9) Extend paging to all commands (where relevant).

10) Add shell like piping and redirection of (standard) output (if
"enable-piping" is defined). Extend completion to these contexts.

11) The manpage should follow soon!!!!
 1.27  31-Oct-2006  christos More fixes from Anon Ymous:


1) Removed the -B flag (it was stupid on my part) and added a short
description indicating how to accomplish the same thing under the
"Sending Mail" section of man mail(1).

2) Added a -H flag to dump the headers and exit. It takes optional
flags to restrict to old, new, read, unread, and deleted messages
(the later being kind of useless - it shares code with something
that already had it).

3) Restored the 'Save' command which somehow got mistakenly removed in
the last commit and add documentation for it! (My apologies to
its author.)

4) Added a 'mkread' command to mark messages as read (the inverse of
'unread'). Should we also have a 'mknew' command?

5) Added a 'smopts' command to keep a database of addresses and
sendmail options to be used when sending messages to those
addresses. See man mail(1) for a fuller description.

6) Added 'indentpreamble' and 'indentpostscript' variables whose
values are inserted before and after a quoted message (~m or ~M
escapes).
=20
7) Added string formatting abilities for the 'prompt', 'insertpreamble',
'insertpostscript', and header display strings. These strings
support all the strftime() format parameters as well as many more
specific to mail (see man mail(1)).

8) Fix the -a flag so that it only takes a single filename, unless
"mime-attach-list" is defined. This is more conventional and avoids
unexpected whitespace issues.
 1.26  21-Oct-2006  christos From our anonymous user:
- mime and character set handling
- command line editor and completion
- many code improvements
 1.25  19-Jul-2005  christos Pass lint completely.
 1.24  19-Jul-2005  christos WARNS=3
 1.23  31-Oct-2003  ross Defensively rewrite a string moving loop.
Constify.
Check for an allocation error.
 1.22  07-Aug-2003  agc Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.
 1.21  29-Mar-2002  ross only count header lines that are actually going to be displayed
when deciding whether to run $PAGER, otherwise it may start up the
pager for a two line message if all 55 header lines are the subject
of a .mailrc ignore command.

(And no, I don't find this program directly useful for reading
today's mail volumes, but it's great as a component run from wrapper
scripts, pretty good for scanning archived mail, and more than
adequate for sending mail.)
 1.20  05-Mar-2002  wiz Use warn() instead of perror().
 1.19  05-Mar-2002  wiz KNF: No space after casts.
 1.18  05-Mar-2002  wiz Use strpbrk(3) instead of anyof().
 1.17  04-Mar-2002  wiz Don't use special null string pointer (NOSTR), just use NULL.
 1.16  02-Mar-2002  wiz Rename variables to avoid shadowing.
 1.15  02-Mar-2002  wiz ANSIfy, and minimal KNF.
 1.14  19-Dec-2001  christos PR/15000: Mike Heffner: mail(1) doesn't reposition pointer correctly
Fix applied from OpenBSD, as suggested in the patch.
 1.13  05-Feb-2001  christos fix nested externs
rename raise to upcase to avoid clash with raise(3)
 1.12  19-Dec-1998  christos char -> unsigned char, index -> strchr, s.w_termsig -> WTERMSIG(s)
 1.11  10-Jun-1998  ross Don't segfault just because a line starts with null.
linebuf[count - 1] = 0, nice try
 1.10  19-Oct-1997  lukem WARNSify, fix .Nm usage, deprecate register, use <err.h>
 1.9  18-Oct-1997  matt Allow mailboxes to be in <cr><lf> format.
 1.8  07-Jul-1997  phil Fixed bug where long lines (>1023 characters in current implementation)
were viewed as multiple lines by both standard input and ~<file.
Closes PR 3463.
 1.7  13-May-1997  mikel fix some potential buffer overflows, and other cleanup.
 1.6  28-Dec-1996  tls Sync with 4.4BSD-Lite2
 1.5  08-Jun-1996  christos - Fix PR/105: Implement dot locking protocol and check return value of flock.
- Fix PR/2247: Don't call unknown users "ubluit". Issue an error message.
- Fix/add prototypes.
- Fix warnings.
- Use POSIX signal mask calls.
- RCSid police.
 1.4  29-Jun-1994  deraadt 4.4-lite, plus our mods
 1.3  01-Apr-1994  cgd lseek/long thing
 1.2  01-Aug-1993  mycroft Add RCS identifiers.
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.3  28-Dec-1996  tls Import of 4.4BSD-Lite2 source
 1.1.1.2  28-Dec-1996  tls Import of 4.4BSD-Lite (already merged at head)
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.29.2.1  06-Nov-2007  matt sync with HEAD
 1.31.14.1  13-May-2009  jym Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
 1.34.6.3  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.34.6.2  30-Oct-2012  yamt sync with head
 1.34.6.1  23-May-2012  yamt sync with head.
 1.35.2.2  25-Feb-2013  tls resync with head
 1.35.2.1  20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.40.8.1  23-Apr-2015  snj Pull up following revision(s) (requested by christos in ticket #719):
usr.bin/mail/cmd3.c: revision 1.43
usr.bin/mail/extern.h: revision 1.33
usr.bin/mail/fio.c: revisions 1.41, 1.42
usr.bin/mail/mail.1: revision 1.61
usr.bin/mail/names.c: revision 1.31, 1.32
usr.bin/mail/send.c: revision 1.38
Fix various security related issues:
0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.
Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.
This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.
Added expandaddr option to explicitly enable this behavior.
0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.
Fixed.
0003. Make wordexp support mandatory. (No functional change.)
Fixed (replaced explicit shell pipe implementation).
0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:
Fixed (as part of the pipe replacement with wordexp).
--
fix incorrect arg size computation

RSS XML Feed