Permalink
Browse files

Sanitize headers to protect against email injection.

  • Loading branch information...
jprider63 committed Feb 6, 2017
1 parent 3d46cb8 commit ac1de33f4d243403bfb1baab550ce93dbc035a59
Showing with 17 additions and 5 deletions.
  1. +4 −0 mime-mail/ChangeLog.md
  2. +12 −4 mime-mail/Network/Mail/Mime.hs
  3. +1 −1 mime-mail/mime-mail.cabal
@@ -1,3 +1,7 @@
## 0.4.13

* Sanitize headers to protect against email injection.

## 0.4.12

* Add function to add attachments with content id [#48](https://github.com/snoyberg/mime-mail/pull/48)
@@ -56,7 +56,7 @@ import qualified Data.Text.Lazy as LT
import qualified Data.Text.Lazy.Encoding as LT
import Data.ByteString.Char8 ()
import Data.Bits ((.&.), shiftR)
import Data.Char (isAscii)
import Data.Char (isAscii, isControl)
import Data.Word (Word8)
import qualified Data.ByteString as S
import Data.Text (Text)
@@ -229,11 +229,15 @@ renderAddress :: Address -> Text
renderAddress address =
TE.decodeUtf8 $ toByteString $ showAddress address

-- Only accept characters between 33 and 126, excluding colons. [RFC2822](https://tools.ietf.org/html/rfc2822#section-2.2)
sanitizeFieldName :: S.ByteString -> S.ByteString
sanitizeFieldName = S.filter (\w -> w >= 33 && w <= 126 && w /= 58)

showHeader :: (S.ByteString, Text) -> Builder
showHeader (k, v) = mconcat
[ fromByteString k
[ fromByteString (sanitizeFieldName k)
, fromByteString ": "
, encodeIfNeeded v
, encodeIfNeeded (sanitizeHeader v)
, fromByteString "\n"
]

@@ -255,10 +259,14 @@ showAddress :: Address -> Builder
showAddress a = mconcat
[ maybe mempty ((fromByteString " " <>) . encodedWord) (addressName a)
, fromByteString "<"
, fromText (addressEmail a)
, fromText (sanitizeHeader $ addressEmail a)
, fromByteString ">"
]

-- Filter out control characters to prevent CRLF injection.
sanitizeHeader :: Text -> Text
sanitizeHeader = T.filter (not . isControl)

showBoundPart :: Boundary -> (Headers, Builder) -> Builder
showBoundPart (Boundary b) (headers, content) = mconcat
[ fromByteString "--"
@@ -1,5 +1,5 @@
Name: mime-mail
Version: 0.4.12
Version: 0.4.13
Synopsis: Compose MIME email messages.
description: Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/mime-mail>.
Homepage: http://github.com/snoyberg/mime-mail

0 comments on commit ac1de33

Please sign in to comment.