Hi! There is a problem described below: <a href="http://stackove

Ok, I'll try explain again. In example here: <a href="https://github

<div class="snippet-clipboard-content notranslate position-relative

Attachments array keys & PHP about mailin HOT 10 OPEN

flolagale commented on September 15, 2024

Attachments array keys & PHP

from mailin.

Comments (10)

Flolagale commented on September 15, 2024

When several attachements have the same fileName, generatedFileName will be different from fileName, in order to get a kind of 'unique' file name.

Anyway, I am sorry but I am not sure to understand clearly the question. Do you want to identify uniquely the fileNames or to retrieve the original fileName, replacing back underscores by dots?
If the issue is uniquely identifying the attachments, you can use the contentId key, which will always be unique.

from mailin.

2naive commented on September 15, 2024

Ok, I'll try explain again.

In example here: https://github.com/Flolagale/mailin/blob/master/README.md

You wrote:

  attachments: [{
      contentType: 'text/plain',
      fileName: 'dummyFile.txt',
      contentDisposition: 'attachment',
      transferEncoding: 'base64',
      generatedFileName: 'dummyFile.txt',
      contentId: '6e4a9c577e603de61e554abab84f6297@mailparser',
      checksum: 'e9fa6319356c536b962650eda9399a44',
      length: '28'
  }],
...
'dummyFile.txt': 'a-base64-encoded-string=='

So, in that case dummyFile.txt is a key of associative array when it's posted to .php webhook. In that case, if webhook will be PHP-script (I suppose It could be similar problems with other languages) you will see:

[dummyFile_txt] => 'a-base64-encoded-string=='

 [Телефонный_трафик_htm] => PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+DQo8dGl0bGU+0KLQtdC70LXRhNC+

in my test case.

So all I'm saying is that it having filename as array key is unsafe in case wehook could be written in languages other than JS.

Yes, there is a workaround like:

function _fixed_name($name) {
    return str_replace(array(chr(32), chr(46), chr(91), chr(128), chr(129), chr(130), chr(131), chr(132), chr(133), chr(134), chr(135), chr(136), chr(137), chr(138), chr(139), chr(140), chr(141), chr(142), chr(143), chr(144), chr(145), chr(146), chr(147), chr(148), chr(149), chr(150), chr(151), chr(152), chr(153), chr(154), chr(155), chr(156), chr(157), chr(158), chr(159)), '_', $name);
}

but even in that case, if you have 2 different files in one message with, for example, such names:
name .jpg
AND
name_.jpg

They all will be converted by this function to name__.jpg.

So, in that case I think that array key should be safe (e.g. base64), or just some unique id, which would also present in attachments[], but not a filename.

Or just change fileName to contentId for array key, e.g:

 '6e4a9c577e603de61e554abab84f6297@mailparser': 'a-base64-encoded-string=='

NOT

 'dummyFile.txt': 'a-base64-encoded-string=='

Hope I could explain it.

from mailin.

Flolagale commented on September 15, 2024

Ok, you made an interesting point. Using the contentId as the key is a good idea, but it introduces some breaking changes to the API. I will implement it but I would like to make sure that it is absolutely necessary. Could you please answer to the 2 following questions to verify this?

For now, the attachment array key is supposed to be the generatedFileName. In your example, the filename is Телефонный_трафик_htm, what is the value of the associated generatedFileName?
The case that you described (2 attached files 'Телефонный_трафик_.htm' and 'Телефонный_трафик .htm') should this still lead to 2 different generatedFilenames. Could you try it and post the resulting generatedFileNames here?

from mailin.

2naive commented on September 15, 2024

[attachments] => Array
    (
        [0] => stdClass Object
            (
                [contentType] => text/html
                [charset] => utf-8
                [fileName] => Телефонный трафик.htm
                [transferEncoding] => base64
                [contentDisposition] => attachment
                [generatedFileName] => Телефонный трафик.htm
                [contentId] => 8184317dea9324c49f3ada75a10fff4a@mailparser
                [checksum] => 6f34800999d4a4b504737f87488f9d0a
                [length] => 123797
            )

    )
... ...
[Телефонный_трафик_htm] => PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl...

As I wrote:

...names: name .jpg AND name_.jpg
They all will be converted by this function to name__.jpg.

first name is "name.jpg" and second is "name.jpg"

So, okay, I did the following:

 attachments:
   [ { contentType: 'text/plain',
       charset: 'utf-8',
       fileName: 'test.txt',
       contentDisposition: 'attachment',
       transferEncoding: 'base64',
       generatedFileName: 'test.txt',
       contentId: 'dd18bf3a8e0a2a3e53e2661c7fb53534@mailparser',
       checksum: 'c4ca4238a0b923820dcc509a6f75849b',
       length: 1 },
     { contentType: 'application/octet-stream',
       fileName: 'test txt',
       contentDisposition: 'attachment',
       transferEncoding: 'base64',
       generatedFileName: 'test txt',
       contentId: '62c97d2c2bdfba2320083770dfb45ec9@mailparser',
       checksum: 'c4ca4238a0b923820dcc509a6f75849b',
       length: 1 } ],

from mailing logs.

Got from PHP webhook dump:

array (
  'mailinMsg' => '{"html":"<div dir=\\"ltr\\"><div class=\\"gmail_default\\" style=\\"font-family:tahoma,sans-serif\\"><br clear=\\"all\\"></div><div><div class=\\"gmail_signature\\"><div><br></div><div><br></div><font face=\\"tahoma, sans-serif\\">С уважением,</font><div><font face=\\"tahoma, sans-serif\\">Александр</font></div></div></div>\\r\\n</div>\\r\\n","text":"С уважением,\\r\\n Александр\\r\\n","headers":{"received":["by mail-lb0-f173.google.com with SMTP id z12so3832792lbi.4 for <[email protected]>; Tue, 13 Jan 2015 09:36:48 -0800 (PST)","by 10.112.125.227 with HTTP; Tue, 13 Jan 2015 09:36:47 -0800 (PST)"],"dkim-signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dYMvmrvXOgQGoMnYLjdafuYr13T28MPpE81CHhknhK4=; b=pILxOJ4uSbK+ZZCJjR6hjwQ63U5b0QLjg2hnKqjnCcIlKd6WtAJrn0X2YCfzhJ+D31 xOf2tiFuW4SN5FGy/HHuXQ20q41Nu5GBpNDjjetMOpDwLNVd5/s0M3Nd3DVK9TCPBLzm T6/emGi8S5C1gQvNXYsowzybUluFKIUyLR3QL1UMx0wYWJxTFnvycB5xg83w9rFiLycg tOTMYA5X3cfcNp6fUNd8XfLrzcW+29MoREU/ub5HSeqQ14mZPbb+b3y3zoscVGxf7tKu nCoLHKSo1N1N7lk2P8zy7e2QgJpbC4WBnWnh3VA9E11DqEuCRZQiKpt8ZkTgddkck3Ti oWQA==","mime-version":"1.0","x-received":"by 10.152.44.167 with SMTP id f7mr43671696lam.92.1421170608225; Tue, 13 Jan 2015 09:36:48 -0800 (PST)","date":"Tue, 13 Jan 2015 20:36:47 +0300","message-id":"<CAKyjARYsHu-GLbnXDtGhHRkLRk8CCEevbSoKxHnW7ydWYgefAw@mail.gmail.com>","subject":"test","from":"Александр  <[email protected]>","to":"[email protected]","content-type":"multipart/mixed; boundary=089e0158c40e44dccf050c8c1162"},"subject":"test","messageId":"CAKyjARYsHu-GLbnXDtGhHRkLRk8CCEevbSoKxHnW7ydWYgefAw@mail.gmail.com","priority":"normal","from":[{"address":"[email protected]","name":"Александр"}],"to":[{"address":"[email protected]","name":""}],"date":"2015-01-13T17:36:47.000Z","attachments":[{"contentType":"text/plain","charset":"utf-8","fileName":"test.txt","contentDisposition":"attachment","transferEncoding":"base64","generatedFileName":"test.txt","contentId":"dd18bf3a8e0a2a3e53e2661c7fb53534@mailparser","checksum":"c4ca4238a0b923820dcc509a6f75849b","length":1},{"contentType":"application/octet-stream","fileName":"test txt","contentDisposition":"attachment","transferEncoding":"base64","generatedFileName":"test txt","contentId":"62c97d2c2bdfba2320083770dfb45ec9@mailparser","checksum":"c4ca4238a0b923820dcc509a6f75849b","length":1}],"dkim":"pass","spf":"pass","spamScore":0,"language":"bulgarian","cc":[],"connection":{"from":"[email protected]","to":["[email protected]"],"remoteAddress":"209.85.217.173","authentication":{"username":false,"authenticated":false,"state":"NORMAL"},"id":"238dead6"},"envelopeFrom":[{"address":"[email protected]","name":""}],"envelopeTo":[{"address":"[email protected]","name":""}]}',
  'test_txt' => 'MQ==',
)

So you see just 1 file test_txt.

And I don't know for sure all symbols that could be replaced.

from mailin.

2naive commented on September 15, 2024

Also in the same dump you may see the problem with envelopeFrom.

from mailin.

2naive commented on September 15, 2024

Any news?

from mailin.

2naive commented on September 15, 2024

My workaround isn't working with chr(128) - chr(159), because:
_fixed_name('Телефонный траффик.htm')
gives:
Теле�_онн�_й_�_�_а�_ик_htm

from mailin.

Flolagale commented on September 15, 2024

Sorry I have been very busy lately, I did not get the time to fix this. I think we will use the contentId as a key. I will keep you posted!

from mailin.

2naive commented on September 15, 2024

ContentID could also have dots, as I understand.
May be its better to add one more I'D or just use an iterator? or put content inside attachments array.

from mailin.

Ghirro commented on September 15, 2024

Is this necessarily a security issue in PHP? You mention it being unsafe but is it not rather an inconvenience? I agree that the dot notation should probably be revised since even in JS it's not exactly semantic (. being the object/property separator) but just wanted to check that it isn't exactly an urgent security vulnerability?

from mailin.

Attachments array keys & PHP about mailin HOT 10 OPEN

Comments (10)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent