1 files changed, 59 insertions, 32 deletions
diff --git a/indra/llmessage/llmail.cpp b/indra/llmessage/llmail.cpp
index 1a076b7281..08b31e9c7a 100644
--- a/indra/llmessage/llmail.cpp
+++ b/indra/llmessage/llmail.cpp
@@ -2,30 +2,25 @@
  * @file llmail.cpp
  * @brief smtp helper functions.
  *
- * $LicenseInfo:firstyear=2001&license=viewergpl$
- * 
- * Copyright (c) 2001-2007, Linden Research, Inc.
- * 
+ * $LicenseInfo:firstyear=2001&license=viewerlgpl$
  * Second Life Viewer Source Code
- * The source code in this file ("Source Code") is provided by Linden Lab
- * to you under the terms of the GNU General Public License, version 2.0
- * ("GPL"), unless you have obtained a separate licensing agreement
- * ("Other License"), formally executed by you and Linden Lab.  Terms of
- * the GPL can be found in doc/GPL-license.txt in this distribution, or
- * online at http://secondlife.com/developers/opensource/gplv2
+ * Copyright (C) 2010, Linden Research, Inc.
  * 
- * There are special exceptions to the terms and conditions of the GPL as
- * it is applied to this Source Code. View the full text of the exception
- * in the file doc/FLOSS-exception.txt in this software distribution, or
- * online at http://secondlife.com/developers/opensource/flossexception
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation;
+ * version 2.1 of the License only.
  * 
- * By copying, modifying or distributing this software, you acknowledge
- * that you have read and understood your obligations described above,
- * and agree to abide by those obligations.
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
  * 
- * ALL LINDEN LAB SOURCE CODE IS PROVIDED "AS IS." LINDEN LAB MAKES NO
- * WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, REGARDING ITS ACCURACY,
- * COMPLETENESS OR PERFORMANCE.
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ * 
+ * Linden Research, Inc., 945 Battery Street, San Francisco, CA  94111  USA
  * $/LicenseInfo$
  */
 
@@ -51,6 +46,7 @@
 #include "llblowfishcipher.h"
 #include "llerror.h"
 #include "llhost.h"
+#include "llsd.h"
 #include "llstring.h"
 #include "lluuid.h"
 #include "net.h"
@@ -111,16 +107,22 @@ void disconnect_smtp()
 // Returns TRUE on success.
 // message should NOT be SMTP escaped.
 // static
-BOOL LLMail::send(const char* from_name, const char* from_address,
-			   const char* to_name, const char* to_address,
-			   const char* subject, const char* message)
+BOOL LLMail::send(
+	const char* from_name,
+	const char* from_address,
+	const char* to_name,
+	const char* to_address,
+	const char* subject,
+	const char* message,
+	const LLSD& headers)
 {
 	std::string header = buildSMTPTransaction(
 		from_name,
 		from_address,
 		to_name,
 		to_address,
-		subject);
+		subject,
+		headers);
 	if(header.empty())
 	{
 		return FALSE;
@@ -192,7 +194,8 @@ std::string LLMail::buildSMTPTransaction(
 	const char* from_address,
 	const char* to_name,
 	const char* to_address,
-	const char* subject)
+	const char* subject,
+	const LLSD& headers)
 {
 	if(!from_address || !to_address)
 	{
@@ -236,15 +239,27 @@ std::string LLMail::buildSMTPTransaction(
 		<< "DATA\r\n"
 		<< "From: " << from_fmt.str() << "\r\n"
 		<< "To: " << to_fmt.str() << "\r\n"
-		<< "Subject: " << subject << "\r\n"
-		<< "\r\n";
+		<< "Subject: " << subject << "\r\n";
+	
+	if(headers.isMap())
+	{
+		LLSD::map_const_iterator iter = headers.beginMap();
+		LLSD::map_const_iterator end = headers.endMap();
+		for(; iter != end; ++iter)
+		{
+			header << (*iter).first << ": " << ((*iter).second).asString()
+				<< "\r\n";
+		}
+	}
+
+	header << "\r\n";
 	return header.str();
 }
 
 // static
 bool LLMail::send(
 	const std::string& header,
-	const std::string& message,
+	const std::string& raw_message,
 	const char* from_address,
 	const char* to_address)
 {
@@ -255,8 +270,20 @@ bool LLMail::send(
 		return false;
 	}
 
-	// *FIX: this translation doesn't deal with a single period on a
-	// line by itself.
+	// remove any "." SMTP commands to prevent injection (DEV-35777)
+	// we don't need to worry about "\r\n.\r\n" because of the 
+	// "\n" --> "\n\n" conversion going into rfc2822_msg below
+	std::string message = raw_message;
+	std::string bad_string = "\n.\n";
+	std::string good_string = "\n..\n";
+	while (1)
+	{
+		int index = message.find(bad_string);
+		if (index == std::string::npos) break;
+		message.replace(index, bad_string.size(), good_string);
+	}
+
+	// convert all "\n" into "\r\n"
 	std::ostringstream rfc2822_msg;
 	for(U32 i = 0; i < message.size(); ++i)
 	{
@@ -324,7 +351,7 @@ bool LLMail::send(
 			<< "when sending messages larger than " << LL_MAX_KNOWN_GOOD_MAIL_SIZE
 			<< " bytes. The next log about success is potentially a lie." << llendl;
 	}
-	llinfos << "send_mail success: "
+	lldebugs << "send_mail success: "
 		<< "to=<" << to_address
 		<< ">, from=<" << from_address << ">"
 		<< ", bytes=" << original_size
@@ -365,7 +392,7 @@ std::string LLMail::encryptIMEmailAddress(const LLUUID& from_agent_id,
 	std::string address = LLBase32::encode(encrypted, encrypted_size);
 
 	// Make it more pretty for humans.
-	LLString::toLower(address);
+	LLStringUtil::toLower(address);
 
 	delete [] encrypted;