merge

author: Steve Bennetts <steve@lindenlab.com> 2009-10-19 17:31:05 -0700
committer: Steve Bennetts <steve@lindenlab.com> 2009-10-19 17:31:05 -0700
commit: 1d5be6eca1969da3e6b923cbf5326d3bdc8b066f (patch)
tree: a03a2e782f5022ebbbe1ef933e3a11c1b9de00a6 /indra/llmessage/llmail.cpp
parent: 97d2b740d3e700d86665183d5fc5cfcb3efe72d6 (diff)
parent: d78520f6b7fd4a20bbb1d1291a34761efc1fd740 (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/indra/llmessage/llmail.cpp b/indra/llmessage/llmail.cpp
index d52ff6c7e8..ce206d8d7d 100644
--- a/indra/llmessage/llmail.cpp
+++ b/indra/llmessage/llmail.cpp
@@ -265,7 +265,7 @@ std::string LLMail::buildSMTPTransaction(
 // static
 bool LLMail::send(
 	const std::string& header,
-	const std::string& message,
+	const std::string& raw_message,
 	const char* from_address,
 	const char* to_address)
 {
@@ -276,8 +276,20 @@ bool LLMail::send(
 		return false;
 	}
 
-	// *FIX: this translation doesn't deal with a single period on a
-	// line by itself.
+	// remove any "." SMTP commands to prevent injection (DEV-35777)
+	// we don't need to worry about "\r\n.\r\n" because of the 
+	// "\n" --> "\n\n" conversion going into rfc2822_msg below
+	std::string message = raw_message;
+	std::string bad_string = "\n.\n";
+	std::string good_string = "\n..\n";
+	while (1)
+	{
+		int index = message.find(bad_string);
+		if (index == std::string::npos) break;
+		message.replace(index, bad_string.size(), good_string);
+	}
+
+	// convert all "\n" into "\r\n"
 	std::ostringstream rfc2822_msg;
 	for(U32 i = 0; i < message.size(); ++i)
 	{
author	Steve Bennetts <steve@lindenlab.com>	2009-10-19 17:31:05 -0700
committer	Steve Bennetts <steve@lindenlab.com>	2009-10-19 17:31:05 -0700
commit	1d5be6eca1969da3e6b923cbf5326d3bdc8b066f (patch)
tree	a03a2e782f5022ebbbe1ef933e3a11c1b9de00a6 /indra/llmessage/llmail.cpp
parent	97d2b740d3e700d86665183d5fc5cfcb3efe72d6 (diff)
parent	d78520f6b7fd4a20bbb1d1291a34761efc1fd740 (diff)