Hello community, here is the log from the commit of package ghc-mime-mail for openSUSE:Factory checked in at 2017-03-14 10:05:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-mime-mail (Old) and /work/SRC/openSUSE:Factory/.ghc-mime-mail.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-mime-mail" Tue Mar 14 10:05:34 2017 rev:4 rq:461662 version:0.4.13 Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-mime-mail/ghc-mime-mail.changes 2017-01-12 15:50:45.390549487 +0100 +++ /work/SRC/openSUSE:Factory/.ghc-mime-mail.new/ghc-mime-mail.changes 2017-03-14 10:05:35.332517589 +0100 @@ -1,0 +2,5 @@ +Sun Feb 12 14:09:09 UTC 2017 - psim...@suse.com + +- Update to version 0.4.13 with cabal2obs. + +------------------------------------------------------------------- Old: ---- mime-mail-0.4.12.tar.gz New: ---- mime-mail-0.4.13.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-mime-mail.spec ++++++ --- /var/tmp/diff_new_pack.zixDWs/_old 2017-03-14 10:05:35.820448498 +0100 +++ /var/tmp/diff_new_pack.zixDWs/_new 2017-03-14 10:05:35.820448498 +0100 @@ -1,7 +1,7 @@ # # spec file for package ghc-mime-mail # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %global pkg_name mime-mail %bcond_with tests Name: ghc-%{pkg_name} -Version: 0.4.12 +Version: 0.4.13 Release: 0 Summary: Compose MIME email messages License: MIT ++++++ mime-mail-0.4.12.tar.gz -> mime-mail-0.4.13.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mime-mail-0.4.12/ChangeLog.md new/mime-mail-0.4.13/ChangeLog.md --- old/mime-mail-0.4.12/ChangeLog.md 2016-12-11 16:14:16.000000000 +0100 +++ new/mime-mail-0.4.13/ChangeLog.md 2017-02-07 13:11:08.000000000 +0100 @@ -1,3 +1,7 @@ +## 0.4.13 + +* Sanitize headers to protect against email injection. + ## 0.4.12 * Add function to add attachments with content id [#48](https://github.com/snoyberg/mime-mail/pull/48) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mime-mail-0.4.12/Network/Mail/Mime.hs new/mime-mail-0.4.13/Network/Mail/Mime.hs --- old/mime-mail-0.4.12/Network/Mail/Mime.hs 2016-12-11 16:14:16.000000000 +0100 +++ new/mime-mail-0.4.13/Network/Mail/Mime.hs 2017-02-07 13:11:08.000000000 +0100 @@ -56,7 +56,7 @@ import qualified Data.Text.Lazy.Encoding as LT import Data.ByteString.Char8 () import Data.Bits ((.&.), shiftR) -import Data.Char (isAscii) +import Data.Char (isAscii, isControl) import Data.Word (Word8) import qualified Data.ByteString as S import Data.Text (Text) @@ -229,11 +229,15 @@ renderAddress address = TE.decodeUtf8 $ toByteString $ showAddress address +-- Only accept characters between 33 and 126, excluding colons. [RFC2822](https://tools.ietf.org/html/rfc2822#section-2.2) +sanitizeFieldName :: S.ByteString -> S.ByteString +sanitizeFieldName = S.filter (\w -> w >= 33 && w <= 126 && w /= 58) + showHeader :: (S.ByteString, Text) -> Builder showHeader (k, v) = mconcat - [ fromByteString k + [ fromByteString (sanitizeFieldName k) , fromByteString ": " - , encodeIfNeeded v + , encodeIfNeeded (sanitizeHeader v) , fromByteString "\n" ] @@ -255,10 +259,14 @@ showAddress a = mconcat [ maybe mempty ((fromByteString " " <>) . encodedWord) (addressName a) , fromByteString "<" - , fromText (addressEmail a) + , fromText (sanitizeHeader $ addressEmail a) , fromByteString ">" ] +-- Filter out control characters to prevent CRLF injection. +sanitizeHeader :: Text -> Text +sanitizeHeader = T.filter (not . isControl) + showBoundPart :: Boundary -> (Headers, Builder) -> Builder showBoundPart (Boundary b) (headers, content) = mconcat [ fromByteString "--" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mime-mail-0.4.12/mime-mail.cabal new/mime-mail-0.4.13/mime-mail.cabal --- old/mime-mail-0.4.12/mime-mail.cabal 2016-12-11 16:14:16.000000000 +0100 +++ new/mime-mail-0.4.13/mime-mail.cabal 2017-02-07 13:11:08.000000000 +0100 @@ -1,5 +1,5 @@ Name: mime-mail -Version: 0.4.12 +Version: 0.4.13 Synopsis: Compose MIME email messages. description: Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/mime-mail>. Homepage: http://github.com/snoyberg/mime-mail