| blob | 298fc2b37fe3151305956c7af8e155b9e92cb84a |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* tok822_parse 3
6 /* SUMMARY
7 /* RFC 822 address parser
8 /* SYNOPSIS
9 /* #include <tok822.h>
10 /*
11 /* TOK822 *tok822_scan_limit(str, tailp, limit)
12 /* const char *str;
13 /* TOK822 **tailp;
14 /* int limit;
15 /*
16 /* TOK822 *tok822_scan(str, tailp)
17 /* const char *str;
18 /* TOK822 **tailp;
19 /*
20 /* TOK822 *tok822_parse_limit(str, limit)
21 /* const char *str;
22 /* int limit;
23 /*
24 /* TOK822 *tok822_parse(str)
25 /* const char *str;
26 /*
27 /* TOK822 *tok822_scan_addr(str)
28 /* const char *str;
29 /*
30 /* VSTRING *tok822_externalize(buffer, tree, flags)
31 /* VSTRING *buffer;
32 /* TOK822 *tree;
33 /* int flags;
34 /*
35 /* VSTRING *tok822_internalize(buffer, tree, flags)
36 /* VSTRING *buffer;
37 /* TOK822 *tree;
38 /* int flags;
39 /* DESCRIPTION
40 /* This module converts address lists between string form and parse
41 /* tree formats. The string form can appear in two different ways:
42 /* external (or quoted) form, as used in message headers, and internal
43 /* (unquoted) form, as used internally by the mail software.
44 /* Although RFC 822 expects 7-bit data, these routines pay no
45 /* special attention to 8-bit characters.
46 /*
47 /* tok822_scan() converts the external-form string in \fIstr\fR
48 /* to a linear token list. The \fItailp\fR argument is a null pointer
49 /* or receives the pointer value of the last result list element.
50 /*
51 /* tok822_scan_limit() implements tok822_scan(), which is a macro.
52 /* The \fIlimit\fR argument is either zero or an upper bound on the
53 /* number of tokens produced.
54 /*
55 /* tok822_parse() converts the external-form address list in
56 /* \fIstr\fR to the corresponding token tree. The parser is permissive
57 /* and will not throw away information that it does not understand.
58 /* The parser adds missing commas between addresses.
59 /*
60 /* tok822_parse_limit() implements tok822_parse(), which is a macro.
61 /* The \fIlimit\fR argument is either zero or an upper bound on the
62 /* number of tokens produced.
63 /*
64 /* tok822_scan_addr() converts the external-form string in
65 /* \fIstr\fR to an address token tree. This is just string to
66 /* token list conversion; no parsing is done. This routine is
67 /* suitable for data that should contain just one address and no
68 /* other information.
69 /*
70 /* tok822_externalize() converts a token list to external form.
71 /* Where appropriate, characters and strings are quoted and white
72 /* space is inserted. The \fIflags\fR argument is the binary OR of
73 /* zero or more of the following:
74 /* .IP TOK822_STR_WIPE
75 /* Initially, truncate the result to zero length.
76 /* .IP TOK822_STR_TERM
77 /* Append a null terminator to the result when done.
78 /* .IP TOK822_STR_LINE
79 /* Append a line break after each comma token, instead of appending
80 /* whitespace. It is up to the caller to concatenate short lines to
81 /* produce longer ones.
82 /* .IP TOK822_STR_TRNC
83 /* Truncate non-address information to 250 characters per address, to
84 /* protect Sendmail systems that are vulnerable to the problem in CERT
85 /* advisory CA-2003-07.
86 /* This flag has effect with tok822_externalize() only.
87 /* .PP
88 /* The macro TOK_822_NONE expresses that none of the above features
89 /* should be activated.
90 /*
91 /* The macro TOK822_STR_DEFL combines the TOK822_STR_WIPE and
92 /* TOK822_STR_TERM flags. This is useful for most token to string
93 /* conversions.
94 /*
95 /* The macro TOK822_STR_HEAD combines the TOK822_STR_TERM,
96 /* TOK822_STR_LINE and TOK822_STR_TRNC flags. This is useful for
97 /* the special case of token to mail header conversion.
98 /*
99 /* tok822_internalize() converts a token list to string form,
100 /* without quoting. White space is inserted where appropriate.
101 /* The \fIflags\fR argument is as with tok822_externalize().
102 /* STANDARDS
103 /* .ad
104 /* .fi
105 /* RFC 822 (ARPA Internet Text Messages). In addition to this standard
106 /* this module implements additional operators such as % and !. These
107 /* are needed because the real world is not all RFC 822. Also, the ':'
108 /* operator is allowed to appear inside addresses, to accommodate DECnet.
109 /* In addition, 8-bit data is not given special treatment.
110 /* LICENSE
111 /* .ad
112 /* .fi
113 /* The Secure Mailer license must be distributed with this software.
114 /* AUTHOR(S)
115 /* Wietse Venema
116 /* IBM T.J. Watson Research
117 /* P.O. Box 704
118 /* Yorktown Heights, NY 10598, USA
119 /*--*/
121 /* System library. */
123 #include <sys_defs.h>
124 #include <ctype.h>
125 #include <string.h>
127 /* Utility library. */
129 #include <vstring.h>
130 #include <msg.h>
131 #include <stringops.h>
133 /* Global library. */
139 /*
140 * I suppose this is my favorite macro. Used heavily for tokenizing.
141 */
142 #define COLLECT(t,s,c,cond) { \
143 while ((c = *(unsigned char *) s) != 0) { \
145 if ((c = *(unsigned char *)++s) == 0) \
146 break; \
147 } else if (!(cond)) { \
148 break; \
149 } \
151 s++; \
152 } \
153 VSTRING_TERMINATE(t->vstr); \
154 }
156 #define COLLECT_SKIP_LAST(t,s,c,cond) { COLLECT(t,s,c,cond); if (*s) s++; }
158 /*
159 * Not quite as complex. The parser depends heavily on it.
160 */
161 #define SKIP(tp, cond) { \
162 while (tp->type && (cond)) \
163 tp = tp->prev; \
164 }
166 #define MOVE_COMMENT_AND_CONTINUE(tp, right) { \
167 TOK822 *prev = tok822_unlink(tp); \
168 right = tok822_prepend(right, tp); \
169 tp = prev; \
170 continue; \
171 }
173 #define SKIP_MOVE_COMMENT(tp, cond, right) { \
174 while (tp->type && (cond)) { \
175 if (tp->type == TOK822_COMMENT) \
176 MOVE_COMMENT_AND_CONTINUE(tp, right); \
177 tp = tp->prev; \
178 } \
179 }
181 /*
182 * Single-character operators. We include the % and ! operators because not
183 * all the world is RFC822. XXX Make this operator list configurable when we
184 * have a real rewriting language. Include | for aliases file parsing.
185 */
197 #define NO_MISSING_COMMA 0
199 /* tok822_internalize - token tree to string, internal form */
202 {
215 }
237 }
240 }
244 }
246 /* strip_address - strip non-address text from address expression */
249 {
252 /*
253 * Emit plain <address>. Discard any comments or phrases.
254 */
266 }
268 }
270 /* tok822_externalize - token tree to string, external form */
273 {
276 ssize_t start;
278 ssize_t addr_len;
280 /*
281 * Guard against a Sendmail buffer overflow (CERT advisory CA-2003-07).
282 * The problem was that Sendmail could store too much non-address text
283 * (comments, phrases, etc.) into a static 256-byte buffer.
284 *
285 * When the buffer fills up, fixed Sendmail versions remove comments etc.
286 * and reduce the information to just <$g>, which expands to <address>.
287 * No change is made when an address expression (text separated by
288 * commas) contains no address. This fix reportedly also protects
289 * Sendmail systems that are still vulnerable to this problem.
290 *
291 * Postfix takes the same approach, grudgingly. To avoid unnecessary damage,
292 * Postfix removes comments etc. only when the amount of non-address text
293 * in an address expression (text separated by commas) exceeds 250 bytes.
294 *
295 * With Sendmail, the address part of an address expression is the
296 * right-most <> instance in that expression. If an address expression
297 * contains no <>, then Postfix guarantees that it contains at most one
298 * non-comment string; that string is the address part of the address
299 * expression, so there is no ambiguity.
300 *
301 * Finally, we note that stress testing shows that other code in Sendmail
302 * 8.12.8 bluntly truncates ``text <address>'' to 256 bytes even when
303 * this means chopping the <address> somewhere in the middle. This is a
304 * loss of control that we're not entirely comfortable with. However,
305 * unbalanced quotes and dangling backslash do not seem to influence the
306 * way that Sendmail parses headers, so this is not an urgent problem.
307 */
308 #define MAX_NONADDR_LENGTH 250
310 #define RESET_NONADDR_LENGTH { \
311 start = VSTRING_LEN(vp); \
312 addr = 0; \
313 addr_len = 0; \
314 }
316 #define ENFORCE_NONADDR_LENGTH do { \
317 if (addr && VSTRING_LEN(vp) - addr_len > start + MAX_NONADDR_LENGTH) \
318 strip_address(vp, start, addr->head); \
319 } while(0)
325 RESET_NONADDR_LENGTH;
331 ENFORCE_NONADDR_LENGTH;
335 RESET_NONADDR_LENGTH;
338 /*
339 * XXX In order to correctly externalize an address, it is not
340 * sufficient to quote individual atoms. There are higher-level
341 * rules that say when an address localpart needs to be quoted.
342 * We wing it with the quote_822_local() routine, which ignores
343 * the issue of atoms in the domain part that would need quoting.
344 */
376 }
383 }
386 }
388 ENFORCE_NONADDR_LENGTH;
393 }
395 /* tok822_copy_quoted - copy a string while quoting */
398 {
405 }
406 }
408 /* tok822_append_space - see if space is needed after this token */
411 {
419 #define NON_OPERATOR(x) \
420 (x->type == TOK822_ATOM || x->type == TOK822_QSTRING \
421 || x->type == TOK822_COMMENT || x->type == TOK822_DOMLIT \
422 || x->type == TOK822_ADDR)
425 }
427 /* tok822_scan_limit - tokenize string */
430 {
437 /*
438 * XXX 2822 new feature: Section 4.1 allows "." to appear in a phrase (to
439 * allow for forms such as: Johnny B. Goode <johhny@domain.org>. I cannot
440 * handle that at the tokenizer level - it is not context sensitive. And
441 * to fix this at the parser level requires radical changes to preserve
442 * white space as part of the token stream. Thanks a lot, people.
443 */
463 }
470 }
473 }
477 }
479 /* tok822_parse_limit - translate external string to token tree */
482 {
491 /*
492 * First, tokenize the string, from left to right. We are not allowed to
493 * throw away any information that we do not understand. With a flat
494 * token list that contains all tokens, we can always convert back to
495 * string form.
496 */
500 /*
501 * For convenience, sandwich the token list between two sentinel tokens.
502 */
503 #define GLUE(left,rite) { left->next = rite; rite->prev = left; }
510 /*
511 * Next step is to transform the token list into a parse tree. This is
512 * done most conveniently from right to left. If there is something that
513 * we do not understand, just leave it alone, don't throw it away. The
514 * address information that we're looking for sits in-between the current
515 * node (tp) and the one called right. Add missing commas on the fly.
516 */
550 }
552 }
555 /*
556 * Discard the sentinel tokens on the left and right extremes. Properly
557 * terminate the resulting list.
558 */
565 }
567 /* tok822_quote_atom - see if an atom needs quoting when externalized */
570 {
574 /*
575 * RFC 822 expects 7-bit data. Rather than quoting every 8-bit character
576 * (and still passing it on as 8-bit data) we leave 8-bit data alone.
577 */
583 }
584 }
585 }
587 /* tok822_comment - tokenize comment */
590 {
594 /*
595 * XXX We cheat by storing comments in their external form. Otherwise it
596 * would be a royal pain to preserve \ before (. That would require a
597 * recursive parser; the easy to implement stack-based recursion would be
598 * too expensive.
599 */
604 str++;
606 level++;
614 str++;
615 }
616 }
619 }
621 /* tok822_group - cluster a group of tokens */
624 {
629 /*
630 * Cluster the tokens between left and right under their own parse tree
631 * node. Optionally insert a resync token.
632 */
643 }
644 }
646 }
648 /* tok822_scan_addr - convert external address string to address token */
651 {
656 }
658 #ifdef TEST
660 #include <unistd.h>
661 #include <vstream.h>
662 #include <readlline.h>
664 /* tok822_print - display token */
667 {
686 }
687 }
688 }
691 {
696 #define TEST_TOKEN_LIMIT 20
702 }
722 }
726 }
728 #endif