Merge with SVN render-pipeline-8 branch

author: Bryan O'Sullivan <bos@lindenlab.com> 2009-11-03 13:39:02 -0800
committer: Bryan O'Sullivan <bos@lindenlab.com> 2009-11-03 13:39:02 -0800
commit: 28ed8f84d86403cf90b7963b147d2ac5c6cf37c7 (patch)
tree: cebb2895642b96aa64e8cf8c2eb402e8423165d6 /indra/llmessage/llmail.cpp
parent: 9c3595465972ba4be916e871f6b0a62cc0c13d4a (diff)
parent: 63b9bd43ff41da01d549f630bd838caff0dffd97 (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/indra/llmessage/llmail.cpp b/indra/llmessage/llmail.cpp
index d52ff6c7e8..ce206d8d7d 100644
--- a/indra/llmessage/llmail.cpp
+++ b/indra/llmessage/llmail.cpp
@@ -265,7 +265,7 @@ std::string LLMail::buildSMTPTransaction(
 // static
 bool LLMail::send(
 	const std::string& header,
-	const std::string& message,
+	const std::string& raw_message,
 	const char* from_address,
 	const char* to_address)
 {
@@ -276,8 +276,20 @@ bool LLMail::send(
 		return false;
 	}
 
-	// *FIX: this translation doesn't deal with a single period on a
-	// line by itself.
+	// remove any "." SMTP commands to prevent injection (DEV-35777)
+	// we don't need to worry about "\r\n.\r\n" because of the 
+	// "\n" --> "\n\n" conversion going into rfc2822_msg below
+	std::string message = raw_message;
+	std::string bad_string = "\n.\n";
+	std::string good_string = "\n..\n";
+	while (1)
+	{
+		int index = message.find(bad_string);
+		if (index == std::string::npos) break;
+		message.replace(index, bad_string.size(), good_string);
+	}
+
+	// convert all "\n" into "\r\n"
 	std::ostringstream rfc2822_msg;
 	for(U32 i = 0; i < message.size(); ++i)
 	{
author	Bryan O'Sullivan <bos@lindenlab.com>	2009-11-03 13:39:02 -0800
committer	Bryan O'Sullivan <bos@lindenlab.com>	2009-11-03 13:39:02 -0800
commit	28ed8f84d86403cf90b7963b147d2ac5c6cf37c7 (patch)
tree	cebb2895642b96aa64e8cf8c2eb402e8423165d6 /indra/llmessage/llmail.cpp
parent	9c3595465972ba4be916e871f6b0a62cc0c13d4a (diff)
parent	63b9bd43ff41da01d549f630bd838caff0dffd97 (diff)