Giter VIP home page Giter VIP logo

Comments (7)

PHPGangsta avatar PHPGangsta commented on July 19, 2024 1

I'm using an old version of this library, but I have the same problem. If you use the filename of a user-provided email attachment, it might be too long.

One solution is to cut it to 250 characters, like @speller does.

Why are we trying to use the original filename (which is user-provided data)? We have to extract it (from "Content-Disposition" or "Content-Type"), it has to be cleaned by "unsafe characters", and then we still might have the problem that filenames are too long.
Or the filename is empty: For example, if you extract a filename "[]" from a header, and then you remove unsafe characters, the string is empty at the end. Creating that file with fopen() will fail. Unsafe chars are not removed, but replaced by underscores, "[]" is not a problem. But other unsafe chars are problematic, for example a horizontal tab. The blacklist of unsafe chars in https://github.com/zetacomponents/Mail/blob/master/src/parser/parts/file_parser.php#L145 is too short. Either a whitelist would be a lot better, or not using user-provided-data at all . See my unit tests below.

Why not just use a random filename? As far as I can see, the filename is not important. Maybe this code solves all problems?

$fileName = uniqid('zetacomponents_tmp_mail_file_', true);

You can remove 20 lines of code, the filename is unique, no user-data involved, it's not too long, it's not too short, and everybody is happy :-)

from mail.

speller avatar speller commented on July 19, 2024

Any new on this issue?

from mail.

derickr avatar derickr commented on July 19, 2024

Sorry, must have missed this. Can you provide the source of the email, or, even better, add a PR with a test case?

from mail.

speller avatar speller commented on July 19, 2024

Hi @derickr , I've solved this in my fork using this patch:

diff --git a/src/parser/parts/file_parser.php b/src/parser/parts/file_parser.php
index 553172b..4143b35 100644
--- a/src/parser/parts/file_parser.php
+++ b/src/parser/parts/file_parser.php
@@ -165,10 +165,16 @@ class ezcMailFileParser extends ezcMailPartParser
 
         // remove the directory and the file when PHP shuts down
         ezcMailParserShutdownHandler::registerForRemoval( $dirName );
+
+        // If we have very long filename close to fs limit - truncate it to 250 symbols
+        if ( mb_strlen( $fileName ) > 250 ) {
+            $fileName = mb_substr($fileName, 0, 250);
+        }
+
         $this->fileName = $dirName . $fileName;
 
         $fp = fopen( $this->fileName, 'w' );
-        if ( $this->fp === false )
+        if ( $fp === false )
         {
             throw new ezcBaseFileNotFoundException( $this->fileName );
         }

I don't have test email, sorry.

from mail.

derickr avatar derickr commented on July 19, 2024

Is this still a live issue for you?

from mail.

derickr avatar derickr commented on July 19, 2024

I've fixed this as part of #83.

from mail.

PHPGangsta avatar PHPGangsta commented on July 19, 2024

Hi @derickr ,

Thanks for the commit, but I think the problem is not fixed yet.

I just ran the tests on my Windows machine, and I got:

ezcBaseFileNotFoundException : The file 'C:\Users\Michael\AppData\Local\Temp\3224-27/ ' could not be found.
 D:\zetacomponents\Mail\src\parser\parts\file_parser.php:183
 D:\zetacomponents\Mail\src\parser\parts\file_parser.php:152
 D:\zetacomponents\Mail\src\parser\interfaces\part_parser.php:150
 D:\zetacomponents\Mail\src\parser\parts\multipart_parser.php:184
 D:\zetacomponents\Mail\src\parser\parts\rfc822_parser.php:118
 D:\zetacomponents\Mail\src\parser\parser.php:252
 D:\zetacomponents\Mail\tests\parser\parser_test.php:916

The space in the test "testVarious13" still is not working.
I did not test it, but I also guess that a filename of "." or ".." would not work.

You are now using a whitelist:
$fileName = preg_replace( '/[^A-Za-z0-9-. ]/', '_', $fileName );
But dots and spaces can be problematic, for example "." or ".." on Linux and Windows might result in problems.

White searching for "allowed filenames on Windows" I found this:
"For example, spaces and dots are valid filename characters, but names composed only of those characters are forbidden"

My suggestion is still: Don't use the user-provided string, and just generate a random filename like this for example:
$fileName = uniqid('zetacomponents_tmp_mail_file_', true);

Or you also have to remove the dot and the space from the character whitelist.

from mail.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.