Skip to content

Commit 01a00aa

Browse files
alandekokalandekok
committed
use standard APIs for filename escapes, and check for errors
1 parent de65566 commit 01a00aa

File tree

1 file changed

+16
-19
lines changed

1 file changed

+16
-19
lines changed

src/modules/rlm_smtp/rlm_smtp.c

Lines changed: 16 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -282,7 +282,7 @@ static int value_box_list_to_header(fr_mail_ctx_t *uctx, struct curl_slist **out
282282
/*
283283
* Takes a string value and adds it as a file path to upload as an attachment
284284
*/
285-
static int str_to_attachments(fr_mail_ctx_t *uctx, curl_mime *mime, char const * str, size_t len,
285+
static int str_to_attachments(fr_mail_ctx_t *uctx, curl_mime *mime, fr_value_box_t *vb,
286286
fr_sbuff_t *path_buffer, fr_sbuff_marker_t *m)
287287
{
288288
request_t *request = uctx->request;
@@ -292,33 +292,27 @@ static int str_to_attachments(fr_mail_ctx_t *uctx, curl_mime *mime, char const *
292292
fr_sbuff_set(path_buffer, m);
293293

294294
/* Check to see if the file attachment is valid, skip it if not */
295-
RDEBUG2("Trying to set attachment: %s", str);
295+
RDEBUG2("Trying to set attachment: %pV", vb);
296296

297-
if (*str == '/') {
298-
RDEBUG2("File attachments cannot be an absolute path");
299-
return 0;
300-
}
301-
302-
if (strncmp(str, "..", 2) == 0) {
303-
RDEBUG2("Cannot access values outside of template_directory");
304-
return 0;
297+
if (fr_value_box_escape_in_place_erules(vb, vb, &fr_filename_escape) < 0) {
298+
RPEDEBUG2("Failed escaping path");
299+
return -1;
305300
}
306301

307-
/* Copy the filename into the buffer */
308-
if (fr_sbuff_in_bstrncpy(path_buffer, str, len) < 0) {
309-
RDEBUG2("Cannot copy filename");
310-
return 0;
302+
if (fr_sbuff_in_bstrncpy(path_buffer, vb->vb_strvalue, vb->vb_length) < 0) {
303+
RPEDEBUG2("Path is too long");
304+
return -1;
311305
}
312306

313307
/* Add the file attachment as a mime encoded part */
314308
part = curl_mime_addpart(mime);
315309
curl_mime_encoder(part, "base64");
316310
if (curl_mime_filedata(part, path_buffer->buff) != CURLE_OK) {
317311
REDEBUG2("Cannot add file attachment");
318-
return 0;
312+
return -1;
319313
}
320314

321-
return 1;
315+
return 0;
322316
}
323317

324318
/** Generate the `From:` header
@@ -570,7 +564,9 @@ static int attachments_source(fr_mail_ctx_t *uctx, curl_mime *mime, rlm_smtp_t c
570564
/* Add the attachments to the email */
571565
for (i = 0; i < list_count; i++) {
572566
while ((vb = fr_value_box_list_next(list, vb))) {
573-
attachments_set += str_to_attachments(uctx, mime, vb->vb_strvalue, vb->vb_length, &path_buffer, &m);
567+
if (str_to_attachments(uctx, mime, vb, &path_buffer, &m) < 0) return -1;
568+
569+
attachments_set++;
574570
}
575571
list++;
576572
}
@@ -754,8 +750,9 @@ static unlang_action_t CC_HINT(nonnull) mod_mail(unlang_result_t *p_result, modu
754750
}
755751

756752
/* Initialize the attachments if there are any*/
757-
if (attachments_source(mail_ctx, mail_ctx->mime, inst, call_env) == 0){
758-
RDEBUG3("No files were attached to the email");
753+
if (attachments_source(mail_ctx, mail_ctx->mime, inst, call_env) < 0) {
754+
rcode = RLM_MODULE_FAIL;
755+
goto error;
759756
}
760757

761758
/* Add the mime encoded elements to the curl request */

0 commit comments

Comments
 (0)