add MAX_DEPTH to limit depth of parsed emails

rjbs · May 9, 2020 · 3a12edd · 3a12edd
1 parent 713e306
commit 3a12edd
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/lib/Email/MIME.pm b/lib/Email/MIME.pm
@@ -377,10 +377,17 @@ sub body_str {
   return $str;
 }
 
+our $MAX_DEPTH = 10;
+
 sub parts_multipart {
   my $self     = shift;
   my $boundary = $self->{ct}->{attributes}->{boundary};
 
+  our $DEPTH ||= 0;
+
+  Carp::croak("attempted to parse a MIME message more than $MAX_DEPTH deep")
+    if $MAX_DEPTH && $DEPTH > $MAX_DEPTH;
+
   # Take a message, join all its lines together.  Now try to Email::MIME->new
   # it with 1.861 or earlier.  Death!  It tries to recurse endlessly on the
   # body, because every time it splits on boundary it gets itself. Obviously
@@ -411,6 +418,7 @@ sub parts_multipart {
   for my $bit (@bits) {
     $bit =~ s/\A[\n\r]+//smg;
     $bit =~ s/(?<!\x0d)$self->{mycrlf}\Z//sm;
+    local $DEPTH = $DEPTH + 1;
     my $email = (ref $self)->new($bit, { encode_check => $self->encode_check });
     push @parts, $email;
   }