commit ghc-mime-mail for openSUSE:Factory

root Tue, 14 Mar 2017 02:06:13 -0700

Hello community,

here is the log from the commit of package ghc-mime-mail for openSUSE:Factory 
checked in at 2017-03-14 10:05:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-mime-mail (Old)
 and      /work/SRC/openSUSE:Factory/.ghc-mime-mail.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "ghc-mime-mail"

Tue Mar 14 10:05:34 2017 rev:4 rq:461662 version:0.4.13

Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-mime-mail/ghc-mime-mail.changes      
2017-01-12 15:50:45.390549487 +0100
+++ /work/SRC/openSUSE:Factory/.ghc-mime-mail.new/ghc-mime-mail.changes 
2017-03-14 10:05:35.332517589 +0100
@@ -1,0 +2,5 @@
+Sun Feb 12 14:09:09 UTC 2017 - psim...@suse.com
+
+- Update to version 0.4.13 with cabal2obs.
+
+-------------------------------------------------------------------

Old:
----
  mime-mail-0.4.12.tar.gz

New:
----
  mime-mail-0.4.13.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ ghc-mime-mail.spec ++++++
--- /var/tmp/diff_new_pack.zixDWs/_old  2017-03-14 10:05:35.820448498 +0100
+++ /var/tmp/diff_new_pack.zixDWs/_new  2017-03-14 10:05:35.820448498 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package ghc-mime-mail
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %global pkg_name mime-mail
 %bcond_with tests
 Name:           ghc-%{pkg_name}
-Version:        0.4.12
+Version:        0.4.13
 Release:        0
 Summary:        Compose MIME email messages
 License:        MIT

++++++ mime-mail-0.4.12.tar.gz -> mime-mail-0.4.13.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mime-mail-0.4.12/ChangeLog.md 
new/mime-mail-0.4.13/ChangeLog.md
--- old/mime-mail-0.4.12/ChangeLog.md   2016-12-11 16:14:16.000000000 +0100
+++ new/mime-mail-0.4.13/ChangeLog.md   2017-02-07 13:11:08.000000000 +0100
@@ -1,3 +1,7 @@
+## 0.4.13
+
+* Sanitize headers to protect against email injection.
+
 ## 0.4.12
 
 * Add function to add attachments with content id 
[#48](https://github.com/snoyberg/mime-mail/pull/48)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mime-mail-0.4.12/Network/Mail/Mime.hs 
new/mime-mail-0.4.13/Network/Mail/Mime.hs
--- old/mime-mail-0.4.12/Network/Mail/Mime.hs   2016-12-11 16:14:16.000000000 
+0100
+++ new/mime-mail-0.4.13/Network/Mail/Mime.hs   2017-02-07 13:11:08.000000000 
+0100
@@ -56,7 +56,7 @@
 import qualified Data.Text.Lazy.Encoding as LT
 import Data.ByteString.Char8 ()
 import Data.Bits ((.&.), shiftR)
-import Data.Char (isAscii)
+import Data.Char (isAscii, isControl)
 import Data.Word (Word8)
 import qualified Data.ByteString as S
 import Data.Text (Text)
@@ -229,11 +229,15 @@
 renderAddress address =
     TE.decodeUtf8 $ toByteString $ showAddress address
 
+-- Only accept characters between 33 and 126, excluding colons. 
[RFC2822](https://tools.ietf.org/html/rfc2822#section-2.2)
+sanitizeFieldName :: S.ByteString -> S.ByteString
+sanitizeFieldName = S.filter (\w -> w >= 33 && w <= 126 && w /= 58)
+
 showHeader :: (S.ByteString, Text) -> Builder
 showHeader (k, v) = mconcat
-    [ fromByteString k
+    [ fromByteString (sanitizeFieldName k)
     , fromByteString ": "
-    , encodeIfNeeded v
+    , encodeIfNeeded (sanitizeHeader v)
     , fromByteString "\n"
     ]
 
@@ -255,10 +259,14 @@
 showAddress a = mconcat
     [ maybe mempty ((fromByteString " " <>) . encodedWord) (addressName a)
     , fromByteString "<"
-    , fromText (addressEmail a)
+    , fromText (sanitizeHeader $ addressEmail a)
     , fromByteString ">"
     ]
 
+-- Filter out control characters to prevent CRLF injection.
+sanitizeHeader :: Text -> Text
+sanitizeHeader = T.filter (not . isControl)
+
 showBoundPart :: Boundary -> (Headers, Builder) -> Builder
 showBoundPart (Boundary b) (headers, content) = mconcat
     [ fromByteString "--"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/mime-mail-0.4.12/mime-mail.cabal 
new/mime-mail-0.4.13/mime-mail.cabal
--- old/mime-mail-0.4.12/mime-mail.cabal        2016-12-11 16:14:16.000000000 
+0100
+++ new/mime-mail-0.4.13/mime-mail.cabal        2017-02-07 13:11:08.000000000 
+0100
@@ -1,5 +1,5 @@
 Name:                mime-mail
-Version:             0.4.12
+Version:             0.4.13
 Synopsis:            Compose MIME email messages.
 description:         Hackage documentation generation is not reliable. For up 
to date documentation, please see: <http://www.stackage.org/package/mime-mail>.
 Homepage:            http://github.com/snoyberg/mime-mail

commit ghc-mime-mail for openSUSE:Factory

Reply via email to