| History log of /src/usr.bin/mail/names.c |
| Revision | | Date | Author | Comments |
| 1.33 |
| 09-Nov-2017 |
christos | Only open regular files.
|
| 1.32 |
| 10-Jan-2015 |
christos | fix wordexp result handling
|
| 1.31 |
| 16-Dec-2014 |
christos | Fix various security related issues:
0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.
Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.
This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.
Added expandaddr option to explicitly enable this behavior.
0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.
Fixed.
0003. Make wordexp support mandatory. (No functional change.)
Fixed (replaced explicit shell pipe implementation).
0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:
Fixed (as part of the pipe replacement with wordexp).
|
| 1.30 |
| 21-Oct-2012 |
christos | branches: 1.30.8;
PR/47098: Steffen "Daode" Nurpmeso: mail(1): SEGV with bad globbed file argument
|
| 1.29 |
| 29-Apr-2012 |
christos | branches: 1.29.2;
set close on exec for all opened files.
|
| 1.28 |
| 12-Jan-2010 |
christos | branches: 1.28.6;
error message cleanup
- 1 -> EXIT_FAILURE
- fprintf(stderr, -> warnx(
- better warning messages
|
| 1.27 |
| 29-Oct-2007 |
christos | From Anon Ymous:
knf changes:
- s/sizeof x/sizeof(x)/.
- remove unnecessary malloc typecasts.
- whitespace nits.
|
| 1.26 |
| 23-Oct-2007 |
christos | From Anon Ymous:
- Introduce date_to_tm() and hl_date_to_tm() to parse the date and
headline date a bit more efficiently.
- If 'tm_isdst' is determined, let strftime(3) handle the '%Z' and
'%z' formats. Otherwise, output "-0000" and "???", respectively, to
help preserve with alignment; strftime(3) will output an empty
string in these case.
- Change fail() to use the '-d' flag (which sets the 'debug' variable)
rather than the "debug" _environment_ variable. This is more
consistent with other warnings.
- Don't use gcc C extensions, e.g., "case LOW ... HIGH:".
- Define is_WSP() in def.h to be an inline function that for checks
whitespace (WSP = ' ' or '\t'), as defined in RFC 2822. Use it
consistently in place of isblank().
- For consistency, rename skip_blank() to skip_WSP().
- Add inline skip_space() to complement skip_blank() (now skip_WSP).
- Check all ctype(3) calls for argument range issues.
- Whitespace and comment cleanup/changes.
|
| 1.25 |
| 25-Dec-2006 |
christos | branches: 1.25.4;
From Anon Ymous
1) Add support for message selection based on the message body. The
pattern matching is done on the MIME decoded body as would be seen by
the print command.
2) Don't hook editline when doing headers only: that mode is never
interactive and it messes up piping if output is redirected to a
command that expects tty input, such as 'more'.
|
| 1.24 |
| 28-Nov-2006 |
christos | branches: 1.24.2;
From Anon Ymous:
1) Statification of modules.
2) Implement the 'detach' and 'Detach' commands for extracting mime
parts from messages.
3) Teach mail to output "In-Reply-To" and "References" header fields
when replying so others can thread us.
4) Implement threading, sorting, and tagging, supported by the
following commands: 'flatten', 'reverse', 'sort', 'thread',
'unthread', 'down', 'tset', 'up', 'expose', 'hide', 'tag',
'untag', 'invtags', 'tagbelow', 'hidetags', 'showtags'.
See the manpage for details (when available - soon).
5) Implement a 'deldups' command to delete duplicate messages based on
their "Message-Id" field, e.g., in replies to a mailing list that
are also CCed to a subscriber. (This can also be accomplished with
the threading and tagging commands.)
6) Implement 'ifdef' and 'ifndef' commands, and make the conditionals
nestable (i.e., implement a conditional stack). The if/else/endif
commands existed before, but they were primitive and undocumented.
The 'if' command currently recognizes the "receiving", "sending",
and "headersonly" mode keywords.
7) Teach the message selecting routine to understand regular
expressions if "regex-search" is defined. Otherwise only case
insensitive substring matches are done (as in the past).
8) Teach the message selection routine to understand boolean
expressions. Improved "colon-modifier" support. See the manpage
for details (when available - soon).
9) Extend paging to all commands (where relevant).
10) Add shell like piping and redirection of (standard) output (if
"enable-piping" is defined). Extend completion to these contexts.
11) The manpage should follow soon!!!!
|
| 1.23 |
| 31-Oct-2006 |
christos | More fixes from Anon Ymous:
1) Removed the -B flag (it was stupid on my part) and added a short
description indicating how to accomplish the same thing under the
"Sending Mail" section of man mail(1).
2) Added a -H flag to dump the headers and exit. It takes optional
flags to restrict to old, new, read, unread, and deleted messages
(the later being kind of useless - it shares code with something
that already had it).
3) Restored the 'Save' command which somehow got mistakenly removed in
the last commit and add documentation for it! (My apologies to
its author.)
4) Added a 'mkread' command to mark messages as read (the inverse of
'unread'). Should we also have a 'mknew' command?
5) Added a 'smopts' command to keep a database of addresses and
sendmail options to be used when sending messages to those
addresses. See man mail(1) for a fuller description.
6) Added 'indentpreamble' and 'indentpostscript' variables whose
values are inserted before and after a quoted message (~m or ~M
escapes).
=20
7) Added string formatting abilities for the 'prompt', 'insertpreamble',
'insertpostscript', and header display strings. These strings
support all the strftime() format parameters as well as many more
specific to mail (see man mail(1)).
8) Fix the -a flag so that it only takes a single filename, unless
"mime-attach-list" is defined. This is more conventional and avoids
unexpected whitespace issues.
|
| 1.22 |
| 21-Oct-2006 |
christos | From our anonymous user:
- mime and character set handling
- command line editor and completion
- many code improvements
|
| 1.21 |
| 18-Sep-2006 |
christos | Jumbo mail patch from our anonymous user:
1) Use editline [optional]:
Most of this code was borrowed from src/usr.bin/ftp. It does the
appropriate editing, history, and completion for all mail commands
(from cmdtab[]) and also does editing on header strings ('~h' inside
the mail editor).
2) '-B' flag:
This will suppress the "To:" line passed to sendmail. In most
configurations it will lead to sendmail adding "To: undisclosed
recipients;". Currently, AFAIK mail requires at least one exposed
recipient address.
3) Comments in rcfile:
Currently, comments in .mailrc are only supported if the first
(non-white) character on a line is '#' followed by white space,
i.e., '#' is a 'nop' command. This (trivial) patch allows the more
normal/expected use of '#' as a comment character. It does not
respect quoting, so that might be an objection which I should fix.
4) Sendmail option editing:
This adds the sendmail option string to the strings editable by the
'~h' command within the mail editor. Currently, you can only set
this string from the command-line, which is particularly annoying
when replying to mail.
5) Reply from:
When replying to a message, grab the "To:" address from the message
and, if there is only one such address and it does not match a list of
allowed addresses (set in the "ReplyFrom" variable), pass it to
sendmail as the "From:" address for the reply (with the '-f' option).
I often make aliases for myself so that my primary address is not
given out; if the alias gets out, I know who to blame. Unfortunately,
a reply to such a message would normally use the primary address
without this patch. A warning is displayed when this is going to
happen so that it can be modified with '~h'.
6) CC and BCC lists:
Allow '-c' and '-b' to accept white-space or ',' delimited lists.
Currently, a white-space delimited list of addresses work, but a
list of aliases will not get expanded. For example, currently:
mail -c "foo bar" christos
will fail to send mail to 'foo' and 'bar' if these are mail aliases
(in ~/.mailrc); sendmail aliases (in /etc/aliases) do work.
7) pipe command:
This pipes the current message into a shell command. I use this for
quick decoding of uuencoded mail, but I can imagine it might be
useful for decrypting encrypted mail, too.
8) show command:
This command takes a list of variables and shows their values. It
is probably stupid as the 'set' command without any argument
displays all variable values. Of course, if there are a lot of
variables you have to sift through the list for the one(s) you want.
|
| 1.20 |
| 15-Jun-2006 |
ghen | Make mail(1) invoke "sendmail" instead of "send-mail", this is more standard.
Ok with christos.
|
| 1.19 |
| 19-Jul-2005 |
christos | branches: 1.19.2;
Pass lint completely.
|
| 1.18 |
| 19-Jul-2005 |
christos | WARNS=3
|
| 1.17 |
| 07-Aug-2003 |
agc | Move UCB-licensed code from 4-clause to 3-clause licence.
Patches provided by Joel Baker in PR 22365, verified by myself.
|
| 1.16 |
| 06-Mar-2002 |
wiz | Replace another tempnam() with mkstemp(), and remove the tempEdit variable.
Inspired by OpenBSD.
|
| 1.15 |
| 05-Mar-2002 |
wiz | Use warn() instead of perror().
|
| 1.14 |
| 05-Mar-2002 |
wiz | KNF: No space after casts.
|
| 1.13 |
| 04-Mar-2002 |
wiz | Replace some more special pointers to zero (NIL, NONE, NOVAR, NOGRP, NOGE)
with NULL.
|
| 1.12 |
| 04-Mar-2002 |
wiz | Don't use special null string pointer (NOSTR), just use NULL.
|
| 1.11 |
| 02-Mar-2002 |
wiz | Rename variables to avoid shadowing.
|
| 1.10 |
| 02-Mar-2002 |
wiz | ANSIfy, and minimal KNF.
|
| 1.9 |
| 05-Feb-2001 |
christos | fix nested externs
rename raise to upcase to avoid clash with raise(3)
|
| 1.8 |
| 19-Dec-1998 |
christos | index -> strchr
|
| 1.7 |
| 25-Nov-1997 |
bad | Detect more errors while manipulating mailbox files and tell the user
about them. Don't truncate mailbox files when a write error has occured.
|
| 1.6 |
| 19-Oct-1997 |
lukem | branches: 1.6.2;
WARNSify, fix .Nm usage, deprecate register, use <err.h>
|
| 1.5 |
| 08-Jun-1996 |
christos | - Fix PR/105: Implement dot locking protocol and check return value of flock.
- Fix PR/2247: Don't call unknown users "ubluit". Issue an error message.
- Fix/add prototypes.
- Fix warnings.
- Use POSIX signal mask calls.
- RCSid police.
|
| 1.4 |
| 28-Nov-1994 |
jtc | Use tempnam() to generate temporary file names instead of trying to
concatenate getenv("TMPDIR") and "RxXXXXXX" into fixed length arrays.
|
| 1.3 |
| 29-Jun-1994 |
deraadt | 4.4-lite, plus our mods
|
| 1.2 |
| 01-Aug-1993 |
mycroft | Add RCS identifiers.
|
| 1.1 |
| 21-Mar-1993 |
cgd | branches: 1.1.1;
Initial revision
|
| 1.1.1.2 |
| 28-Dec-1996 |
tls | Import of 4.4BSD-Lite (already merged at head)
|
| 1.1.1.1 |
| 21-Mar-1993 |
cgd | initial import of 386bsd-0.1 sources
|
| 1.6.2.1 |
| 26-Nov-1997 |
mellon | Pull rev 1.7 up from trunk (bad)
|
| 1.19.2.1 |
| 19-Jun-2006 |
chap | Sync with head.
|
| 1.24.2.1 |
| 19-Feb-2007 |
tron | Pull up following revision(s) (requested by christos in ticket #454):
usr.bin/mail/complete.c: revision 1.12
usr.bin/mail/mail.1: revision 1.47
usr.bin/mail/main.c: revision 1.26
usr.bin/mail/version.c: revision 1.11
usr.bin/mail/mime_decode.c: revision 1.7
usr.bin/mail/list.c: revision 1.19
usr.bin/mail/names.c: revision 1.25
From Anon Ymous
1) Add support for message selection based on the message body. The
pattern matching is done on the MIME decoded body as would be seen by
the print command.
2) Don't hook editline when doing headers only: that mode is never
interactive and it messes up piping if output is redirected to a
command that expects tty input, such as 'more'.
|
| 1.25.4.1 |
| 06-Nov-2007 |
matt | sync with HEAD
|
| 1.28.6.2 |
| 30-Oct-2012 |
yamt | sync with head
|
| 1.28.6.1 |
| 23-May-2012 |
yamt | sync with head.
|
| 1.29.2.1 |
| 20-Nov-2012 |
tls | Resync to 2012-11-19 00:00:00 UTC
|
| 1.30.8.1 |
| 23-Apr-2015 |
snj | Pull up following revision(s) (requested by christos in ticket #719):
usr.bin/mail/cmd3.c: revision 1.43
usr.bin/mail/extern.h: revision 1.33
usr.bin/mail/fio.c: revisions 1.41, 1.42
usr.bin/mail/mail.1: revision 1.61
usr.bin/mail/names.c: revision 1.31, 1.32
usr.bin/mail/send.c: revision 1.38
Fix various security related issues:
0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.
Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.
This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.
Added expandaddr option to explicitly enable this behavior.
0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.
Fixed.
0003. Make wordexp support mandatory. (No functional change.)
Fixed (replaced explicit shell pipe implementation).
0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:
Fixed (as part of the pipe replacement with wordexp).
--
fix incorrect arg size computation
|
