Re: Fwd: Huge header detection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 09, 2009 at 10:37:16PM +1100, Bron Gondwana wrote:
> On Mon, Feb 09, 2009 at 10:02:37PM +1100, Bron Gondwana wrote:
> > Ditto.  Gosh.  That makes 3 tunables.  The gods of tunable
> > non-proliferation will want my head for doing this:
> > 
> > maxcacheheaders_warn = 500
> > maxcacheheaders_skip = 1000 (same as the current patch)
> > maxcacheheaders_reject = 2000
> > 
> > Sound like reasonable defaults?  I'm tempted to make the _reject be '0'
> > (don't reject) by default.
> 
> Yeah, something like this completely untested code!
> 
> Bron ( there doesn't seem to be an easy way to signal "abort this
>        thing" back up the chain while parsing the message in the
>        general case, but at least I've caught the top level message )

Bah, it's too late to think!
diff --git a/imap/message.c b/imap/message.c
index 2d9afd2..efd7c32 100644
--- a/imap/message.c
+++ b/imap/message.c
@@ -412,8 +412,9 @@ int message_parse_binary_file(FILE *infile, struct body **body)
     }
 
     if (!*body) *body = (struct body *) xmalloc(sizeof(struct body));
-    message_parse_body(&msg, MAILBOX_FORMAT_NORMAL, *body,
-		       DEFAULT_CONTENT_TYPE, (struct boundary *)0);
+    if (message_parse_body(&msg, MAILBOX_FORMAT_NORMAL, *body,
+			   DEFAULT_CONTENT_TYPE, (struct boundary *)0))
+	return IMAP_IOERROR;
 
     lseek(fd, 0L, SEEK_SET);
     n = retry_write(fd, msg.base, msg.len);
@@ -442,8 +443,9 @@ int message_parse_mapped(const char *msg_base, unsigned long msg_len,
     msg.offset = 0;
     msg.encode = 0;
 
-    message_parse_body(&msg, MAILBOX_FORMAT_NORMAL, body,
-		       DEFAULT_CONTENT_TYPE, (struct boundary *)0);
+    if (message_parse_body(&msg, MAILBOX_FORMAT_NORMAL, body,
+		       DEFAULT_CONTENT_TYPE, (struct boundary *)0))
+	return IMAP_IOERROR;
 
     message_guid_generate(&body->guid, msg_base, msg_len);
 
@@ -601,6 +603,8 @@ struct boundary *boundaries;
     sawboundary = message_parse_headers(msg, format, body, defaultContentType,
 					boundaries);
 
+    if (sawboundary < 0) return IMAP_IOERROR; /* too many headers! */
+
     /* Recurse according to type */
     if (strcmp(body->type, "MULTIPART") == 0) {
 	if (!sawboundary) {
@@ -660,6 +664,10 @@ struct boundary *boundaries;
     int left, len;
     char *next;
     int sawboundary = 0;
+    int max_warn = config_getint(IMAPOPT_MAXHEADERLINES_WARN);
+    int max_skip = config_getint(IMAPOPT_MAXHEADERLINES_SKIP);
+    int max_reject = config_getint(IMAPOPT_MAXHEADERLINES_REJECT);
+    int cur_level = 0;
 
     body->header_offset = msg->offset;
 
@@ -716,6 +724,27 @@ struct boundary *boundaries;
 	if (*next == '\n') {
 	    body->header_lines++;
 
+	    /* if we're skipping, skip now */
+	    if (cur_level >= 2) continue;
+
+	    /* check if we've hit a limit and flag it */
+	    if (cur_level < 3 && max_reject && body->header_lines > max_reject) {
+		syslog(LOG_ERR, "ERROR: message has %d header lines, rejecting",
+		       max_reject);
+		return -1;
+	    }
+	    if (cur_level < 2 && max_skip && body->header_lines > max_skip) {
+		syslog(LOG_ERR, "ERROR: message has %d header lines, not caching any more",
+		       max_skip);
+		cur_level = 2;
+		continue;
+	    }
+	    if (cur_level < 1 && max_warn && body->header_lines > max_warn) {
+		syslog(LOG_NOTICE, "WARNING: message has over %d header lines",
+		       max_warn);
+		cur_level = 1;
+	    }
+
 	    /* Check for headers in generic cache */
 	    if (body->cacheheaders.start &&
 		(next[1] != ' ') && (next[1] != '\t') &&
diff --git a/lib/imapoptions b/lib/imapoptions
index b17d831..7b4ec19 100644
--- a/lib/imapoptions
+++ b/lib/imapoptions
@@ -566,6 +566,22 @@ are listed with ``<none>''.
 /* Notifyd(8) method to use for "MAIL" notifications.  If not set, "MAIL"
    notifications are disabled. */
 
+{ "maxheaderlines_warn", 500, INT }
+/* Number of lines in a message header before a warning is logged
+   to syslog.  Default 500.  If set to zero, it is unlimited. 
+   If set higher than maxheaderlines_skip, then you'll only get the
+   single warning when headers start getting skipped. */
+
+{ "maxheaderlines_skip", 1000, INT }
+/* Maximum number of lines of header that will be processed into cache
+   records.  Default 1000.  If set to zero, it is unlimited.
+   If set higher than maxheaderlines_reject, then you will only
+   get the warning as the message is rejected. */
+
+{ "maxheaderlines_reject", 0, INT }
+/* Number of lines in a message header before the message is rejected
+   by cyrus.  The default is zero - unlimited. */
+
 { "maxmessagesize", 0, INT }
 /* Maximum incoming LMTP message size.  If non-zero, lmtpd will reject
    messages larger than \fImaxmessagesize\fR bytes.  If set to 0, this
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux