From: Don Armstrong <don@donarmstrong.com>
Date: Mon, 24 Jul 2023 23:17:17 +0000 (-0700)
Subject: Handle RFC1522 escaped commas in structured headers (#1041638)
X-Git-Url: https://git.donarmstrong.com/debbugs.git?a=commitdiff_plain;h=3ba0f18b6129049f4a76aeab5a5966b49a66dbc2;p=debbugs.git

Handle RFC1522 escaped commas in structured headers (#1041638)
---

diff --git a/Debbugs/MIME.pm b/Debbugs/MIME.pm
index 1d8fcb5..3033f30 100644
--- a/Debbugs/MIME.pm
+++ b/Debbugs/MIME.pm
@@ -42,7 +42,7 @@ BEGIN {
     @EXPORT = ();
 
     %EXPORT_TAGS = (mime => [qw(parse create_mime_message getmailbody)],
-		    rfc1522 => [qw(decode_rfc1522 encode_rfc1522)],
+		    rfc1522 => [qw(decode_rfc1522 encode_rfc1522 handle_escaped_commas)],
 		   );
     @EXPORT_OK=();
     Exporter::export_ok_tags(keys %EXPORT_TAGS);
@@ -52,6 +52,7 @@ BEGIN {
 use File::Path qw(remove_tree);
 use File::Temp qw(tempdir);
 use MIME::Parser;
+use Mail::Message::Field;
 
 use POSIX qw(strftime);
 use List::AllUtils qw(apply);
@@ -357,4 +358,36 @@ sub encode_rfc1522 {
      return $string;
 }
 
+=head2
+
+    $header = handle_escaped_commas('','From: ')
+
+Handle commas in addresses which have been RFC1522 escaped and now need to be
+quoted to avoid parsing as a record separator.
+
+=cut
+
+sub handle_escaped_commas {
+    my ($modified_hdr, $orig_hdr) = @_;
+
+    my $field = Mail::Message::Field->new($orig_hdr);
+    # if the header isn't structured, it can't contain an address
+    if (not $field->isStructured()) {
+	return $modified_hdr
+    }
+    if ($field->name() !~ m/^(?:to|from|reply-to)$/) {
+	return $modified_hdr
+    }
+    my @addresses = $field->addresses();
+    if (not @addresses) {
+	return $modified_hdr
+    }
+    my @return_addresses;
+    for my $address (@addresses) {
+	$address->phrase(decode_rfc1522($address->phrase()));
+	push @return_addresses, $address->format();
+    }
+    return join(', ',@return_addresses)
+}
+
 1;
diff --git a/debian/changelog b/debian/changelog
index 16d26c1..9b25c68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ debbugs (2.6.1) unstable; urgency=medium
   * Fix unescaped From (closes: #983847)
   * Actually return message/rfc822 when there is a single message instead
     of mbox (closes: #1009181)
+  * Fix missing escaping of comma in address fields (closes: #1041638)
 
  -- Don Armstrong <don@debian.org>  Fri, 09 Mar 2018 11:17:10 -0800
 
diff --git a/scripts/process b/scripts/process
index b403603..6e0a247 100755
--- a/scripts/process
+++ b/scripts/process
@@ -183,7 +183,7 @@ for my $hdr (@headerlines) {
 			 mail-followup-to|
 			 references):
 		 |From\s|X-Debbugs-)/xi;
-    $fwd .= encode_utf8($hdr)."\n" if $ins;
+    $fwd .= $orig_hdr."\n" if $ins;
     # print {$debugfh} ">$_<\n";
     if (s/^(\S+):\s*//) {
 	my $v = lc $1;
@@ -191,7 +191,13 @@ for my $hdr (@headerlines) {
 	    push @common_headers, 'X-Loop',$_;
 	}
 	print {$debugfh} ">$v=$_<\n";
-	$header{$v} = $_;
+	# Handle a comma which is escaped being passed through un-escaped. See
+	# https://bugs.debian.org/1041638
+	if ($_ =~ m/,/ and not $orig_hdr =~ m/,/) {
+	    $header{$v} = handle_escaped_commas($_,$orig_hdr);
+	} else {
+	    $header{$v} = $_;
+	}
     } else {
 	print {$debugfh} "!>$_<\n";
     }
@@ -716,7 +722,7 @@ if ($ref<0) { # new bug report
                                             );
             }
         }
-        if ($name eq 'usertags'){
+        if ($name eq 'usertags' and defined $current_user){
             my %user_tags;
             read_usertags(\%user_tags, $current_user);
             $value =~ s/(?:^\s+|\s+$)//g;
diff --git a/t/01_mime.t b/t/01_mime.t
index dcd3b76..ecad37b 100644
--- a/t/01_mime.t
+++ b/t/01_mime.t
@@ -1,7 +1,7 @@
 # -*- mode: cperl;-*-
 # $Id: 01_mime.t,v 1.1 2005/08/17 21:46:17 don Exp $
 
-use Test::More tests => 6;
+use Test::More tests => 7;
 
 use warnings;
 use strict;
@@ -36,7 +36,8 @@ ok(Debbugs::MIME::decode_rfc1522(Debbugs::MIME::encode_rfc1522(encode_utf8($test
   "encode_rfc1522 encodes strings that decode_rfc1522 can decode");
 ok(Debbugs::MIME::decode_rfc1522(Debbugs::MIME::encode_rfc1522(encode_utf8($test_str3))) eq $test_str3,
   "encode_rfc1522 properly handles parenthesis and \"");
-
+ok(Debbugs::MIME::handle_escaped_commas(q(),q(From: =?UTF-8?Q?Armstrong=2C?= Don <don@donarmstrong.com>)) eq q("Armstrong, Don" <don@donarmstrong.com>),
+  "handle_escaped_commas properly handles commas in RFC1522 encoded strings");
 
 # Make sure that create_mime_message has encoded headers and doesn't enclude any 8-bit characters