Prevent custom_header with accents - Githubissues

sympa-community / sympa

Sympa, Mailing List Management Software

https://www.sympa.community/sympa

GNU General Public License v2.0

237 stars 94 forks source link

Prevent custom_header with accents #1840

Open ldidry opened 1 month ago

ldidry commented 1 month ago

Expected Behavior

People shouldn’t be able to set a custom_header with an accent, which makes Sympa crash.

Current Behavior

People can set a custom_header with an accent, which makes Sympa crash.

Possible Solution

We could set a pattern attribute to the input field, like ^[a-zA-Z0-9]*$, or set a similar validation in the backend.

Context

A user has set X-Expéditeur as custom_header, which made sympa_msg crash, preventing to keep processing other mails.

Crash log:

2024-05-14T15:59:11.054874+02:00 rod3 sympa_msg[2057866]: err main::#242 > Sympa::Spindle::spin#95 > Sympa::Spindle::TransformOutgoing::_twist#105 > Sympa::Message::add_header#399 > Mail::Header::add#472 > Mail::Header::_fmt_line#163 > Carp::croak#289 DIED: Bad RFC822 field name 'X-Expéditeur'  at /home/sympa/bin/Sympa/Message.pm line 399.

ikedas commented 1 month ago

RFC 5322 says (in section 2.2 "Header fields"):

A field name MUST be composed of printable US-ASCII characters (i.e., characters that have values between 33 and 126, inclusive), except colon.

Thus, I suppose, it should not contain accented characters.