infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-07-12 12:24:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

webmail: recognize q/b-word-encoded filenames in attachments in messages

Browse Source 
according to the rfc's (2231, and 2047), non-ascii filenames in content-type
and content-disposition headers should be encoded like this:

	Content-Type: text/plain; name*=utf-8''hi%E2%98%BA.txt
	Content-Disposition: attachment; filename*=utf-8''hi%E2%98%BA.txt

and that is what the Go standard library mime.ParseMediaType and
mime.FormatMediaType parse and generate.

this is what thunderbird sends:

	Content-Type: text/plain; charset=UTF-8; name="=?UTF-8?B?aGnimLoudHh0?="
	Content-Disposition: attachment; filename*=UTF-8''%68%69%E2%98%BA%2E%74%78%74

(thunderbird will also correctly split long filenames over multiple parameters,
named "filename*0*", "filename*1*", etc.)

this is what gmail sends:

	Content-Type: text/plain; charset="US-ASCII"; name="=?UTF-8?B?aGnimLoudHh0?="
	Content-Disposition: attachment; filename="=?UTF-8?B?aGnimLoudHh0?="

i cannot find where the q/b-word encoded values in "name" and "filename" are
allowed. until that time, we try parsing them unless in pedantic mode.

we didn't generate correctly encoded filenames yet, this commit also fixes that.

for issue #82 by mattfbacon, thanks for reporting!
This commit is contained in:
Mechiel Lukkien
2023-10-14 14:14:13 +02:00
parent 3e53343d21
commit a40f5a5eb3
4 changed files with 74 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
webmail/webmail.go
View File

@ -317,25 +317,6 @@ func serveContentFallback(log *mlog.Log, w http.ResponseWriter, r *http.Request,
http.ServeContent(w, r, "", fallbackMtime(log), bytes.NewReader(fallback))
}
// Escape mime content header parameter, such as content-type charset or
// content-disposition filename.
func escapeParam(s string) string {
// todo: follow ../rfc/2183?
basic := len(s) > 0
for _, c := range s {
if c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' || c >= '0' && c <= '9' || c == '-' || c == '_' || c == '.' {
continue
}
basic = false
break
}
if basic {
return s
}
return `"` + strings.NewReplacer(`\`, `\\`, `"`, `\"`).Replace(s) + `"`
}
// Handler returns a handler for the webmail endpoints, customized for the max
// message size coming from the listener.
func Handler(maxMessageSize int64) func(w http.ResponseWriter, r *http.Request) {
@ -593,19 +574,20 @@ func handle(apiHandler http.Handler, w http.ResponseWriter, r *http.Request) {
subjectSlug = s
}
filename := fmt.Sprintf("email-%d-attachments-%s%s.zip", m.ID, m.Received.Format("20060102-150405"), subjectSlug)
h.Set("Content-Disposition", fmt.Sprintf(`attachment; filename=%s`, escapeParam(filename)))
cd := mime.FormatMediaType("attachment", map[string]string{"filename": filename})
h.Set("Content-Disposition", cd)
zw := zip.NewWriter(w)
names := map[string]bool{}
for _, a := range mi.Attachments {
ap := a.Part
name := ap.ContentTypeParams["name"]
name := tryDecodeParam(log, ap.ContentTypeParams["name"])
if name == "" {
// We don't check errors, this is all best-effort.
h, _ := ap.Header()
disposition := h.Get("Content-Disposition")
_, params, _ := mime.ParseMediaType(disposition)
name = params["filename"]
name = tryDecodeParam(log, params["filename"])
}
if name != "" {
name = filepath.Base(name)
@ -697,10 +679,11 @@ func handle(apiHandler http.Handler, w http.ResponseWriter, r *http.Request) {
// not, there is not much we could do better...
headers(false, false, false)
ct := "text/plain"
params := map[string]string{}
if charset := p.ContentTypeParams["charset"]; charset != "" {
ct += fmt.Sprintf("; charset=%s", escapeParam(charset))
params["charset"] = charset
}
h.Set("Content-Type", ct)
h.Set("Content-Type", mime.FormatMediaType(ct, params))
h.Set("Cache-Control", "no-cache, max-age=0")
_, err := io.Copy(w, &moxio.AtReader{R: msgr})
@ -892,18 +875,19 @@ func handle(apiHandler http.Handler, w http.ResponseWriter, r *http.Request) {
h.Set("Content-Type", ct)
h.Set("Cache-Control", "no-cache, max-age=0")
if t[1] == "download" {
name := ap.ContentTypeParams["name"]
name := tryDecodeParam(log, ap.ContentTypeParams["name"])
if name == "" {
// We don't check errors, this is all best-effort.
h, _ := ap.Header()
disposition := h.Get("Content-Disposition")
_, params, _ := mime.ParseMediaType(disposition)
name = params["filename"]
name = tryDecodeParam(log, params["filename"])
}
if name == "" {
name = "attachment.bin"
}
h.Set("Content-Disposition", fmt.Sprintf(`attachment; filename=%s`, escapeParam(name)))
cd := mime.FormatMediaType("attachment", map[string]string{"filename": name})
h.Set("Content-Disposition", cd)
}
_, err := io.Copy(w, ap.Reader())