smeserver-qpsmtpd/sme10/smeserver-qpsmtpd-2.7.0-bz11648-tnef2mime.patch

diff -Nur --no-dereference smeserver-qpsmtpd-2.7.0.old/root/usr/share/qpsmtpd/plugins/tnef2mime smeserver-qpsmtpd-2.7.0/root/usr/share/qpsmtpd/plugins/tnef2mime
--- smeserver-qpsmtpd-2.7.0.old/root/usr/share/qpsmtpd/plugins/tnef2mime        2008-10-07 11:05:17.000000000 -0400
+++ smeserver-qpsmtpd-2.7.0/root/usr/share/qpsmtpd/plugins/tnef2mime    2021-09-17 00:33:10.776000000 -0400
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -wT
+#!/usr/bin/perl -w
 =head1 NAME
 
 tnef2mime
@@ -19,9 +19,56 @@
 
 
 =cut
-
-
 use MIME::Parser;
+{
+# this is a dirty fix regarding this bug https://rt.cpan.org/Ticket/Display.html?id=97886
+# this way we can keep on usinhg this plugin waiting for the upstream fix
+# the no warnings avoid message in qpsmtpd log on every mails saying we override the sub.
+no warnings;
+*MIME::Parser::Filer::output_path = sub  {
+    my ($self, $head) = @_;
+
+    ### Get the output directory:
+    my $dir = $self->output_dir($head);
+
+    ### Get the output filename as UTF-8
+    my $fname = $head->recommended_filename;
+
+    ### Can we use it:
+    if    (!defined($fname)) {
+        $self->debug("no filename recommended: synthesizing our own");
+        $fname = $self->output_filename($head);
+    }
+    elsif ($self->ignore_filename) {
+        $self->debug("ignoring all external filenames: synthesizing our own");
+        $fname = $self->output_filename($head);
+    }
+    elsif ($self->evil_filename($fname)) {
+
+        ### Can we save it by just taking the last element?
+        my $ex = $self->exorcise_filename($fname);
+        if (defined($ex) and !$self->evil_filename($ex)) {
+            $self->whine("Provided filename '$fname' is regarded as evil, ",
+                         "but I was able to exorcise it and get something ",
+                         "usable.");
+            $fname = $ex;
+        }
+        else {
+            $self->whine("Provided filename '$fname' is regarded as evil; ",
+                         "I'm ignoring it and supplying my own.");
+            $fname = $self->output_filename($head);
+        }
+    }
+    $self->debug("planning to use '$fname'");
+
+    #untaint dir and fname
+    $self->debug("it is our own");
+    $fname = ($fname =~ m/^([ \w_.:%-]+)$/ig) ? $1 : $self->output_filename($head);
+    ### Resolve collisions and return final path:
+    return $self->find_unused_path($dir, $fname);
+};
+}
+
 use MIME::Entity;
 use MIME::Head;
 use File::MMagic;
@@ -117,13 +164,18 @@
        my ($self, $transaction) = @_;
        # new Parser Object
        $parser = new MIME::Parser;
+       # if you want to debug the Parser :
+       #use MIME::Tools; MIME::Tools->debugging(1);
        # temp output directory
        $parser->output_under( $tmpdir );
        $parser->extract_uuencode(1);
 
+       #untainted filename
+       $transaction->body_filename() =~ /^([:\-\/\w]+)\z/ or die "Disallowed characters in filename ".$transaction->body_filename();
+       my $bdfilename = $1;
        # read message body
-       open BFN, $transaction->body_filename();
-       $ent = $parser->parse(\*BFN);
+       open BFN, "<", $bdfilename ;#$transaction->body_filename();
+       $ent = $parser->parse(\*BFN);
        my @keep = grep { keep_part($self, $_) } $ent->parts; # @keep now holds all non-tnef attachments
        close BFN;
 
@@ -155,7 +207,7 @@
                        $transaction->header->add('X-TNEF2MIME-Plugin', $xac );
                        }
                # write converted message body
-               open BFN, ">" . $transaction->body_filename();
+               open BFN, ">" , $bdfilename;#$transaction->body_filename();
                $ent->print(\*BFN);
                close BFN;
                }
@@ -166,7 +218,9 @@
                $tnefs[$i]->purge();
                }
        
-       my $output_dir = $parser->output_dir;
+        #untainted filename
+        $parser->output_dir =~ /^([:\-\/\w]+)\z/ or die "Disallowed characters in output dir ".$parser->output_dir;
+        my $output_dir = $1;
        
        opendir( DIR, $output_dir ) or die "Could not open temporary output dir $output_dir: $!\n";
        while( defined( my $file = readdir( DIR ) ) )
1	diff -Nur --no-dereference smeserver-qpsmtpd-2.7.0.old/root/usr/share/qpsmtpd/plugins/tnef2mime smeserver-qpsmtpd-2.7.0/root/usr/share/qpsmtpd/plugins/tnef2mime
2	--- smeserver-qpsmtpd-2.7.0.old/root/usr/share/qpsmtpd/plugins/tnef2mime 2008-10-07 11:05:17.000000000 -0400
3	+++ smeserver-qpsmtpd-2.7.0/root/usr/share/qpsmtpd/plugins/tnef2mime 2021-09-17 00:33:10.776000000 -0400
4	@@ -1,4 +1,4 @@
5	-#!/usr/bin/perl -wT
6	+#!/usr/bin/perl -w
7	=head1 NAME
8
9	tnef2mime
10	@@ -19,9 +19,56 @@
11
12
13	=cut
14	-
15	-
16	use MIME::Parser;
17	+{
18	+# this is a dirty fix regarding this bug https://rt.cpan.org/Ticket/Display.html?id=97886
19	+# this way we can keep on usinhg this plugin waiting for the upstream fix
20	+# the no warnings avoid message in qpsmtpd log on every mails saying we override the sub.
21	+no warnings;
22	+*MIME::Parser::Filer::output_path = sub {
23	+ my ($self, $head) = @_;
24	+
25	+ ### Get the output directory:
26	+ my $dir = $self->output_dir($head);
27	+
28	+ ### Get the output filename as UTF-8
29	+ my $fname = $head->recommended_filename;
30	+
31	+ ### Can we use it:
32	+ if (!defined($fname)) {
33	+ $self->debug("no filename recommended: synthesizing our own");
34	+ $fname = $self->output_filename($head);
35	+ }
36	+ elsif ($self->ignore_filename) {
37	+ $self->debug("ignoring all external filenames: synthesizing our own");
38	+ $fname = $self->output_filename($head);
39	+ }
40	+ elsif ($self->evil_filename($fname)) {
41	+
42	+ ### Can we save it by just taking the last element?
43	+ my $ex = $self->exorcise_filename($fname);
44	+ if (defined($ex) and !$self->evil_filename($ex)) {
45	+ $self->whine("Provided filename '$fname' is regarded as evil, ",
46	+ "but I was able to exorcise it and get something ",
47	+ "usable.");
48	+ $fname = $ex;
49	+ }
50	+ else {
51	+ $self->whine("Provided filename '$fname' is regarded as evil; ",
52	+ "I'm ignoring it and supplying my own.");
53	+ $fname = $self->output_filename($head);
54	+ }
55	+ }
56	+ $self->debug("planning to use '$fname'");
57	+
58	+ #untaint dir and fname
59	+ $self->debug("it is our own");
60	+ $fname = ($fname =~ m/^([ \w_.:%-]+)$/ig) ? $1 : $self->output_filename($head);
61	+ ### Resolve collisions and return final path:
62	+ return $self->find_unused_path($dir, $fname);
63	+};
64	+}
65	+
66	use MIME::Entity;
67	use MIME::Head;
68	use File::MMagic;
69	@@ -117,13 +164,18 @@
70	my ($self, $transaction) = @_;
71	# new Parser Object
72	$parser = new MIME::Parser;
73	+ # if you want to debug the Parser :
74	+ #use MIME::Tools; MIME::Tools->debugging(1);
75	# temp output directory
76	$parser->output_under( $tmpdir );
77	$parser->extract_uuencode(1);
78
79	+ #untainted filename
80	+ $transaction->body_filename() =~ /^([:\-\/\w]+)\z/ or die "Disallowed characters in filename ".$transaction->body_filename();
81	+ my $bdfilename = $1;
82	# read message body
83	- open BFN, $transaction->body_filename();
84	- $ent = $parser->parse(\*BFN);
85	+ open BFN, "<", $bdfilename ;#$transaction->body_filename();
86	+ $ent = $parser->parse(\*BFN);
87	my @keep = grep { keep_part($self, $_) } $ent->parts; # @keep now holds all non-tnef attachments
88	close BFN;
89
90	@@ -155,7 +207,7 @@
91	$transaction->header->add('X-TNEF2MIME-Plugin', $xac );
92	}
93	# write converted message body
94	- open BFN, ">" . $transaction->body_filename();
95	+ open BFN, ">" , $bdfilename;#$transaction->body_filename();
96	$ent->print(\*BFN);
97	close BFN;
98	}
99	@@ -166,7 +218,9 @@
100	$tnefs[$i]->purge();
101	}
102
103	- my $output_dir = $parser->output_dir;
104	+ #untainted filename
105	+ $parser->output_dir =~ /^([:\-\/\w]+)\z/ or die "Disallowed characters in output dir ".$parser->output_dir;
106	+ my $output_dir = $1;
107
108	opendir( DIR, $output_dir ) or die "Could not open temporary output dir $output_dir: $!\n";
109	while( defined( my $file = readdir( DIR ) ) )