Comments (7)
I'm using an old version of this library, but I have the same problem. If you use the filename of a user-provided email attachment, it might be too long.
One solution is to cut it to 250 characters, like @speller does.
Why are we trying to use the original filename (which is user-provided data)? We have to extract it (from "Content-Disposition" or "Content-Type"), it has to be cleaned by "unsafe characters", and then we still might have the problem that filenames are too long.
Or the filename is empty: For example, if you extract a filename "[]" from a header, and then you remove unsafe characters, the string is empty at the end. Creating that file with fopen() will fail. Unsafe chars are not removed, but replaced by underscores, "[]" is not a problem. But other unsafe chars are problematic, for example a horizontal tab. The blacklist of unsafe chars in https://github.com/zetacomponents/Mail/blob/master/src/parser/parts/file_parser.php#L145 is too short. Either a whitelist would be a lot better, or not using user-provided-data at all . See my unit tests below.
Why not just use a random filename? As far as I can see, the filename is not important. Maybe this code solves all problems?
$fileName = uniqid('zetacomponents_tmp_mail_file_', true);
You can remove 20 lines of code, the filename is unique, no user-data involved, it's not too long, it's not too short, and everybody is happy :-)
from mail.
Any new on this issue?
from mail.
Sorry, must have missed this. Can you provide the source of the email, or, even better, add a PR with a test case?
from mail.
Hi @derickr , I've solved this in my fork using this patch:
diff --git a/src/parser/parts/file_parser.php b/src/parser/parts/file_parser.php
index 553172b..4143b35 100644
--- a/src/parser/parts/file_parser.php
+++ b/src/parser/parts/file_parser.php
@@ -165,10 +165,16 @@ class ezcMailFileParser extends ezcMailPartParser
// remove the directory and the file when PHP shuts down
ezcMailParserShutdownHandler::registerForRemoval( $dirName );
+
+ // If we have very long filename close to fs limit - truncate it to 250 symbols
+ if ( mb_strlen( $fileName ) > 250 ) {
+ $fileName = mb_substr($fileName, 0, 250);
+ }
+
$this->fileName = $dirName . $fileName;
$fp = fopen( $this->fileName, 'w' );
- if ( $this->fp === false )
+ if ( $fp === false )
{
throw new ezcBaseFileNotFoundException( $this->fileName );
}
I don't have test email, sorry.
from mail.
Is this still a live issue for you?
from mail.
I've fixed this as part of #83.
from mail.
Hi @derickr ,
Thanks for the commit, but I think the problem is not fixed yet.
I just ran the tests on my Windows machine, and I got:
ezcBaseFileNotFoundException : The file 'C:\Users\Michael\AppData\Local\Temp\3224-27/ ' could not be found.
D:\zetacomponents\Mail\src\parser\parts\file_parser.php:183
D:\zetacomponents\Mail\src\parser\parts\file_parser.php:152
D:\zetacomponents\Mail\src\parser\interfaces\part_parser.php:150
D:\zetacomponents\Mail\src\parser\parts\multipart_parser.php:184
D:\zetacomponents\Mail\src\parser\parts\rfc822_parser.php:118
D:\zetacomponents\Mail\src\parser\parser.php:252
D:\zetacomponents\Mail\tests\parser\parser_test.php:916
The space in the test "testVarious13" still is not working.
I did not test it, but I also guess that a filename of "." or ".." would not work.
You are now using a whitelist:
$fileName = preg_replace( '/[^A-Za-z0-9-. ]/', '_', $fileName );
But dots and spaces can be problematic, for example "." or ".." on Linux and Windows might result in problems.
White searching for "allowed filenames on Windows" I found this:
"For example, spaces and dots are valid filename characters, but names composed only of those characters are forbidden"
My suggestion is still: Don't use the user-provided string, and just generate a random filename like this for example:
$fileName = uniqid('zetacomponents_tmp_mail_file_', true);
Or you also have to remove the dot and the space from the character whitelist.
from mail.
Related Issues (20)
- Feature request: add alias for the 'unicode-1-1-utf-7' charset HOT 2
- Force parse text file attachment as file when Content-Disposition: attachment header HOT 4
- Flags not fetched correctly from GMail HOT 1
- Iconv error on zetacomponents/mail/src/internal/charset_convert.php line 14 HOT 2
- User names and passwords can contain spaces. HOT 1
- bug in parser/parts/text_parser.php HOT 4
- create_function() is deprecated in PHP 7.2
- How to use Zeta Mail Component in Laravel HOT 1
- IMAP TLS Auth for accessing mailbox HOT 1
- Notice: iconv(): Detected an illegal character in input string HOT 1
- Attachment filename too long HOT 2
- Incompatible regex with PHP 7.3 HOT 3
- ezcMailTools::mimeHeaderEncode Timeout HOT 2
- Issue with civicrm-core HOT 2
- Undefined variable in imap_set.php HOT 1
- .msg attachment HOT 4
- Curly-brace syntax for array and string access is deprecated in PHP 7.4 HOT 1
- SRS return path issues - causes whole email to fail to process HOT 4
- IMAP / POP
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mail.