Commit Graph

39 Commits

Author SHA1 Message Date
christos
4fe1ef32f3 Only open regular files. 2017-11-09 20:27:50 +00:00
christos
2a8765d5a2 Fix various security related issues:
0001. Do not recognize paths, mail folders, and pipes in mail addresses
    by default.  That avoids a direct command injection with syntactically
    valid email addresses starting with |.

    Such addresses can be specified both on the command line, the mail
    headers (with -t) or in address lines copied over from previous
    while replying.

    This was assigned CVE-2014-7844 for some versions of BSD mailx.  It is
    documented behavior for Heirloom mailx, and was mentioned in an old
    technical report about BSD mailx (which does not usually make its way
    into operating system installations).  The patch switches off this
    processing and updates the documentation.

Added expandaddr option to explicitly enable this behavior.

    0002. When invoking sendmail, prevent option processing for email
    address arguments.  This prevents changing e.g. the Postfix
    configuration file in unexpected ways.  This behavior was documented for
    BSD mailx (sort of), but not for Heirloom mailx.  We did not assign a
    CVE to this because it is more of a missing feature, and code invoking
    mailx needs adjustment in the caller as well.

Fixed.

    0003. Make wordexp support mandatory.  (No functional change.)

Fixed (replaced explicit shell pipe implementation).

    0004. Prevent command execution in the expand function, which is IMHO
    unexpected.  (Not really required with patch 1, and there is still
    information disclosure/DoS potential if this expansion occurs.)  This is
    a historic vulnerability already fixed in the Debian package,
    retroactively assigned CVE-2004-2771:

Fixed (as part of the pipe replacement with wordexp).
2014-12-16 19:30:24 +00:00
christos
5942983d76 set close on exec for all opened files. 2012-04-29 23:50:22 +00:00
he
ec30dc689c Do the -Wuninitialized workaround in a way which conforms to our
style guide, and remove a now unneeded LINTED comment.  From private
feedback.
2009-04-13 10:03:58 +00:00
he
a389f78e47 Work around a problem with gcc -Wuninitialized seen for our sh3 targets. 2009-04-12 22:47:39 +00:00
christos
ca13337dfe From Anon Ymous:
- Remove all longjmp(3) calls from signal handlers.  Instead, we post
to an internal signal queue and check that periodically.  All signal
related code is now in sig.c, except for the SIGCHLD handler which
remains in popen.c as it is intimately tied to routines there.

- Handle SIGPIPE in type1() regardless of mime support, or else the
handler in execute() will prevent our error code from being returned
resulting in 'sawcom' not being set on the first command as it should.
This only affected the initial behavior of the "next" command without
mime support.

- Add the 'T' flag to many commands in cmdtab.c that should not look
like the first command.  E.g., start mail on a mailbox with multiple
messages, run "set foo", then "next", and watch the second message get
displayed rather than the first as is the case without the first "set"
command.

- Add file descriptor and file handle leak detection.  Enabled by
DEBUG_FILE_LEAK.  This will likely disappear in the future.

- Fix a long standing (since import in 1993) longjmp() bug in
edstop(): the jmpbuf was invalid when quit() is called at the end of
main.

- Fix a long standing bug (since import in 1993) in snarf() where it
didn't strip whitespace correctly if the line consisted only of
whitespace.

- Lint cleanup.

- New Feature: "Header" command.  This allows miscellaneous header
fields to be added to the header, e.g., "X-Organization:" or
"Reply-To:" fields.

- New Feature: "page-also" variable.  This allows the specification of
additional commands to page.  It is more flexible than "crt".

- Document the "pager-off" variable: if set, it disables paging
entirely.
2009-04-10 13:08:24 +00:00
lukem
1742612d3c sign-compare fix for amd64 2009-01-25 14:07:18 +00:00
christos
349d978117 From Anon Ymous:
- Add a "forward" command as requested by garbled@.
  From the manpage:

  forward
	  Takes a list of messages and prompts for an address (or
	  addresses) to forward each message to.  If no message list is
	  specified, the current message is used.  The mail editor is run
	  for each message allowing the user to enter a message that will
	  precede the forward message.  The message is sent as a multi-
	  part/mixed MIME encoded message.

- Add the ability to match messages that do (or do not) contain a
  header field.  E.g., the command "f ! /Subject:" will display the
  list of messages that are missing a "Subject" field.

- Teach savemail() to prefix fake headlines so the mbox doesn't get
  broken.

- Fixed a couple of "bugs" in the attachment editing routine.
2007-10-30 02:28:30 +00:00
christos
2283d346cb From Anon Ymous:
knf changes:
- s/sizeof x/sizeof(x)/.
- remove unnecessary malloc typecasts.
- whitespace nits.
2007-10-29 23:20:37 +00:00
christos
4556f89a2d From Anon Ymous:
- Add a "bounce" command as requested by garbled@.
  From the manpage:

 bounce  Takes a list of messages and prompts for an address to bounce the
         messages to.  All the original header fields are preserved except
         for the ``Delivered-To'', ``X-Original-To'' and ``Status''
         fields.  The new ``To'' field contains the bounce address(es)
         plus any addresses in the old ``To'' field minus the user's local
         address and any on the alternates list.  (See the alternates com-
         mand.)
2007-10-27 15:14:50 +00:00
christos
d727506fb5 From Anon Ymous:
- Introduce date_to_tm() and hl_date_to_tm() to parse the date and
  headline date a bit more efficiently.
- If 'tm_isdst' is determined, let strftime(3) handle the '%Z' and
  '%z' formats.  Otherwise, output "-0000" and "???", respectively, to
  help preserve with alignment; strftime(3) will output an empty
  string in these case.
- Change fail() to use the '-d' flag (which sets the 'debug' variable)
  rather than the "debug" _environment_ variable.  This is more
  consistent with other warnings.
- Don't use gcc C extensions, e.g., "case LOW ... HIGH:".
- Define is_WSP() in def.h to be an inline function that for checks
  whitespace (WSP = ' ' or '\t'), as defined in RFC 2822.  Use it
  consistently in place of isblank().
- For consistency, rename skip_blank() to skip_WSP().
- Add inline skip_space() to complement skip_blank() (now skip_WSP).
- Check all ctype(3) calls for argument range issues.
- Whitespace and comment cleanup/changes.
2007-10-23 14:58:43 +00:00
christos
f309875081 From Anon Ymous:
1) Statification of modules.

2) Implement the 'detach' and 'Detach' commands for extracting mime
   parts from messages.

3) Teach mail to output "In-Reply-To" and "References" header fields
   when replying so others can thread us.

4) Implement threading, sorting, and tagging, supported by the
   following commands: 'flatten', 'reverse', 'sort', 'thread',
   'unthread', 'down', 'tset', 'up', 'expose', 'hide', 'tag',
   'untag', 'invtags', 'tagbelow', 'hidetags', 'showtags'.
   See the manpage for details (when available - soon).

5) Implement a 'deldups' command to delete duplicate messages based on
   their "Message-Id" field, e.g., in replies to a mailing list that
   are also CCed to a subscriber.  (This can also be accomplished with
   the threading and tagging commands.)

6) Implement 'ifdef' and 'ifndef' commands, and make the conditionals
   nestable (i.e., implement a conditional stack).  The if/else/endif
   commands existed before, but they were primitive and undocumented.
   The 'if' command currently recognizes the "receiving", "sending",
   and "headersonly" mode keywords.

7) Teach the message selecting routine to understand regular
   expressions if "regex-search" is defined.  Otherwise only case
   insensitive substring matches are done (as in the past).

8) Teach the message selection routine to understand boolean
   expressions.  Improved "colon-modifier" support.  See the manpage
   for details (when available - soon).

9) Extend paging to all commands (where relevant).

10) Add shell like piping and redirection of (standard) output (if
   "enable-piping" is defined).  Extend completion to these contexts.

11) The manpage should follow soon!!!!
2006-11-28 18:45:32 +00:00
christos
798fbc606d More fixes from Anon Ymous:
1) Removed the -B flag (it was stupid on my part) and added a short
   description indicating how to accomplish the same thing under the
   "Sending Mail" section of man mail(1).

2) Added a -H flag to dump the headers and exit.  It takes optional
   flags to restrict to old, new, read, unread, and deleted messages
   (the later being kind of useless - it shares code with something
   that already had it).

3) Restored the 'Save' command which somehow got mistakenly removed in
   the last commit and add documentation for it!  (My apologies to
   its author.)

4) Added a 'mkread' command to mark messages as read (the inverse of
   'unread').  Should we also have a 'mknew' command?

5) Added a 'smopts' command to keep a database of addresses and
   sendmail options to be used when sending messages to those
   addresses.  See man mail(1) for a fuller description.

6) Added 'indentpreamble' and 'indentpostscript' variables whose
   values are inserted before and after a quoted message (~m or ~M
   escapes).
=20
7) Added string formatting abilities for the 'prompt', 'insertpreamble',
   'insertpostscript', and header display strings.  These strings
   support all the strftime() format parameters as well as many more
   specific to mail (see man mail(1)).

8) Fix the -a flag so that it only takes a single filename, unless
   "mime-attach-list" is defined.  This is more conventional and avoids
   unexpected whitespace issues.
2006-10-31 20:07:32 +00:00
christos
8207b28a5c From our anonymous user:
- mime and character set handling
- command line editor and completion
- many code improvements
2006-10-21 21:37:20 +00:00
christos
85c81c58a5 Jumbo mail patch from our anonymous user:
1) Use editline [optional]:
   Most of this code was borrowed from src/usr.bin/ftp.  It does the
   appropriate editing, history, and completion for all mail commands
   (from cmdtab[]) and also does editing on header strings ('~h' inside
   the mail editor).

2) '-B' flag:
   This will suppress the "To:" line passed to sendmail.  In most
   configurations it will lead to sendmail adding "To: undisclosed
   recipients;".  Currently, AFAIK mail requires at least one exposed
   recipient address.

3) Comments in rcfile:
   Currently, comments in .mailrc are only supported if the first
   (non-white) character on a line is '#' followed by white space,
   i.e., '#' is a 'nop' command.  This (trivial) patch allows the more
   normal/expected use of '#' as a comment character.  It does not
   respect quoting, so that might be an objection which I should fix.

4) Sendmail option editing:
   This adds the sendmail option string to the strings editable by the
   '~h' command within the mail editor.  Currently, you can only set
   this string from the command-line, which is particularly annoying
   when replying to mail.

5) Reply from:
   When replying to a message, grab the "To:" address from the message
   and, if there is only one such address and it does not match a list of
   allowed addresses (set in the "ReplyFrom" variable), pass it to
   sendmail as the "From:" address for the reply (with the '-f' option).
   I often make aliases for myself so that my primary address is not
   given out; if the alias gets out, I know who to blame.  Unfortunately,
   a reply to such a message would normally use the primary address
   without this patch.  A warning is displayed when this is going to
   happen so that it can be modified with '~h'.

6) CC and BCC lists:
   Allow '-c' and '-b' to accept white-space or ',' delimited lists.
   Currently, a white-space delimited list of addresses work, but a
   list of aliases will not get expanded.  For example, currently:

	mail -c "foo bar" christos

   will fail to send mail to 'foo' and 'bar' if these are mail aliases
   (in ~/.mailrc); sendmail aliases (in /etc/aliases) do work.

7) pipe command:
   This pipes the current message into a shell command.  I use this for
   quick decoding of uuencoded mail, but I can imagine it might be
   useful for decrypting encrypted mail, too.

8) show command:
   This command takes a list of variables and shows their values.  It
   is probably stupid as the 'set' command without any argument
   displays all variable values.  Of course, if there are a lot of
   variables you have to sift through the list for the one(s) you want.
2006-09-18 19:46:21 +00:00
christos
57e9a1d730 PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask 2006-03-03 15:07:00 +00:00
christos
ca28631014 Pass lint completely. 2005-07-19 23:07:10 +00:00
christos
ece0fd5c87 WARNS=3 2005-07-19 01:38:38 +00:00
agc
89aaa1bb64 Move UCB-licensed code from 4-clause to 3-clause licence.
Patches provided by Joel Baker in PR 22365, verified by myself.
2003-08-07 11:13:06 +00:00
wiz
240d8221ea Replace last tempnam() with mkstemp(), and remove the tempMail variable.
Inspired by OpenBSD.
mail(1) is now tempnam(3) free.
2002-03-06 17:36:44 +00:00
wiz
ae38aa875b Use warn() instead of perror(). 2002-03-05 21:29:30 +00:00
wiz
b6e7b17180 KNF: No space after casts. 2002-03-05 21:18:14 +00:00
wiz
cb6786d45f Replace some more special pointers to zero (NIL, NONE, NOVAR, NOGRP, NOGE)
with NULL.
2002-03-04 03:16:10 +00:00
wiz
ab85015570 Don't use special null string pointer (NOSTR), just use NULL. 2002-03-04 03:07:25 +00:00
wiz
4e972651c7 Rename variables to avoid shadowing. 2002-03-02 15:27:51 +00:00
wiz
b127cccc2e ANSIfy, and minimal KNF. 2002-03-02 14:59:35 +00:00
christos
85ef06032c fix nested externs
rename raise to upcase to avoid clash with raise(3)
2001-02-05 02:07:52 +00:00
christos
253750edbd Add -E "dontsendempty" flag which does not send messages that have no
data. This is useful when piping cron error output to mail. While I am
there add -~ to be a synonym for -I [but don't document it]. This is for
compatibility with other OS's.
2000-09-19 01:12:48 +00:00
tron
baa67f49cc Rename send() to sendmessage() to avoid conflict with send(2) in "libc".
Patch supplied by Geoff Adams in PR bin/9385.
2000-02-10 12:34:42 +00:00
christos
2d72555862 char -> unsigned char 1998-12-19 16:34:38 +00:00
ross
f670fa10c5 Add { and } to shut up egcs. Reformat the more questionable code. 1998-08-25 20:59:36 +00:00
bad
6a203aafce Do not propagate local pipe and file address that are marked for deletion
into the mail header.
1997-11-25 17:55:52 +00:00
lukem
7c81c8f378 WARNSify, fix .Nm usage, deprecate register, use <err.h> 1997-10-19 05:02:57 +00:00
christos
88b833a7cd - Fix PR/105: Implement dot locking protocol and check return value of flock.
- Fix PR/2247: Don't call unknown users "ubluit". Issue an error message.
- Fix/add prototypes.
- Fix warnings.
- Use POSIX signal mask calls.
- RCSid police.
1996-06-08 19:48:09 +00:00
jtc
b5508f3525 Use tempnam() to generate temporary file names instead of trying to
concatenate getenv("TMPDIR") and "RxXXXXXX" into fixed length arrays.
1994-11-28 20:03:30 +00:00
deraadt
2cb5542f38 4.4-lite, plus our mods 1994-06-29 05:09:04 +00:00
jtc
10a20d067c Implement mailx's askbcc option. 1993-08-27 20:31:51 +00:00
mycroft
e9d867ef50 Add RCS identifiers. 1993-08-01 17:54:45 +00:00
cgd
61f282557f initial import of 386bsd-0.1 sources 1993-03-21 09:45:37 +00:00