From 8beaa7ffcf5e07dd814689c28ce8ce060036d532 Mon Sep 17 00:00:00 2001
From: Don Armstrong <don@donarmstrong.com>
Date: Mon, 24 Jul 2023 16:17:17 -0700
Subject: [PATCH] Handle RFC1522 escaped commas in structured headers
 (#1041638)

---
 debian/changelog    |  1 +
 lib/Debbugs/MIME.pm | 35 ++++++++++++++++++++++++++++++++++-
 scripts/process     | 12 +++++++++---
 t/01_mime.t         |  5 +++--
 4 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 60dfa6c7..5cdd98c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ debbugs (3.0.0~alpha.1) unstable; urgency=medium
   * Fix unescaped From (closes: #983847)
   * Actually return message/rfc822 when there is a single message instead
     of mbox (closes: #1009181)
+  * Fix missing escaping of comma in address fields (closes: #1041638)
 
  -- Don Armstrong <don@debian.org>  Fri, 09 Mar 2018 11:17:10 -0800
 
diff --git a/lib/Debbugs/MIME.pm b/lib/Debbugs/MIME.pm
index fec3b6e2..579f3329 100644
--- a/lib/Debbugs/MIME.pm
+++ b/lib/Debbugs/MIME.pm
@@ -44,7 +44,7 @@ BEGIN {
     %EXPORT_TAGS = (mime => [qw(parse create_mime_message getmailbody),
 			     qw(parse_to_mime_entity),
 			    ],
-		    rfc1522 => [qw(decode_rfc1522 encode_rfc1522)],
+		    rfc1522 => [qw(decode_rfc1522 encode_rfc1522 handle_escaped_commas)],
 		   );
     @EXPORT_OK=();
     Exporter::export_ok_tags(keys %EXPORT_TAGS);
@@ -54,6 +54,7 @@ BEGIN {
 use File::Path qw(remove_tree);
 use File::Temp qw(tempdir);
 use MIME::Parser;
+use Mail::Message::Field;
 
 use POSIX qw(strftime);
 use List::AllUtils qw(apply);
@@ -396,4 +397,36 @@ sub encode_rfc1522 {
      return $string;
 }
 
+=head2
+
+    $header = handle_escaped_commas('','From: ')
+
+Handle commas in addresses which have been RFC1522 escaped and now need to be
+quoted to avoid parsing as a record separator.
+
+=cut
+
+sub handle_escaped_commas {
+    my ($modified_hdr, $orig_hdr) = @_;
+
+    my $field = Mail::Message::Field->new($orig_hdr);
+    # if the header isn't structured, it can't contain an address
+    if (not $field->isStructured()) {
+	return $modified_hdr
+    }
+    if ($field->name() !~ m/^(?:to|from|reply-to)$/) {
+	return $modified_hdr
+    }
+    my @addresses = $field->addresses();
+    if (not @addresses) {
+	return $modified_hdr
+    }
+    my @return_addresses;
+    for my $address (@addresses) {
+	$address->phrase(decode_rfc1522($address->phrase()));
+	push @return_addresses, $address->format();
+    }
+    return join(', ',@return_addresses)
+}
+
 1;
diff --git a/scripts/process b/scripts/process
index 4e4d97af..83109986 100755
--- a/scripts/process
+++ b/scripts/process
@@ -184,7 +184,7 @@ for my $hdr (@headerlines) {
 			 mail-followup-to|
 			 references):
 		 |From\s|X-Debbugs-)/xi;
-    $fwd .= encode_utf8($hdr)."\n" if $ins;
+    $fwd .= $orig_hdr."\n" if $ins;
     # print {$debugfh} ">$_<\n";
     if (s/^(\S+):\s*//) {
 	my $v = lc $1;
@@ -192,7 +192,13 @@ for my $hdr (@headerlines) {
 	    push @common_headers, 'X-Loop',$_;
 	}
 	print {$debugfh} ">$v=$_<\n";
-	$header{$v} = $_;
+	# Handle a comma which is escaped being passed through un-escaped. See
+	# https://bugs.debian.org/1041638
+	if ($_ =~ m/,/ and not $orig_hdr =~ m/,/) {
+	    $header{$v} = handle_escaped_commas($_,$orig_hdr);
+	} else {
+	    $header{$v} = $_;
+	}
     } else {
 	print {$debugfh} "!>$_<\n";
     }
@@ -718,7 +724,7 @@ if ($ref<0) { # new bug report
                                             );
             }
         }
-        if ($name eq 'usertags'){
+        if ($name eq 'usertags' and defined $current_user){
             my %user_tags;
             read_usertags(\%user_tags, $current_user);
             $value =~ s/(?:^\s+|\s+$)//g;
diff --git a/t/01_mime.t b/t/01_mime.t
index dcd3b760..ecad37ba 100644
--- a/t/01_mime.t
+++ b/t/01_mime.t
@@ -1,7 +1,7 @@
 # -*- mode: cperl;-*-
 # $Id: 01_mime.t,v 1.1 2005/08/17 21:46:17 don Exp $
 
-use Test::More tests => 6;
+use Test::More tests => 7;
 
 use warnings;
 use strict;
@@ -36,7 +36,8 @@ ok(Debbugs::MIME::decode_rfc1522(Debbugs::MIME::encode_rfc1522(encode_utf8($test
   "encode_rfc1522 encodes strings that decode_rfc1522 can decode");
 ok(Debbugs::MIME::decode_rfc1522(Debbugs::MIME::encode_rfc1522(encode_utf8($test_str3))) eq $test_str3,
   "encode_rfc1522 properly handles parenthesis and \"");
-
+ok(Debbugs::MIME::handle_escaped_commas(q(),q(From: =?UTF-8?Q?Armstrong=2C?= Don <don@donarmstrong.com>)) eq q("Armstrong, Don" <don@donarmstrong.com>),
+  "handle_escaped_commas properly handles commas in RFC1522 encoded strings");
 
 # Make sure that create_mime_message has encoded headers and doesn't enclude any 8-bit characters
 
-- 
2.39.5