From: Todd C. Miller <millert@openbsd.org>
Subject: Re: smtpd: allow escaping inside quotes
To: Omar Polo <op@omarpolo.com>
Cc: tech@openbsd.org
Date: Sun, 28 Jan 2024 10:07:52 -0700

On Mon, 22 Jan 2024 11:41:13 +0100, Omar Polo wrote:

> A bug was filed for opensmtpd-portable regarding escape sequences inside
> quotes in headers: <https://github.com/OpenSMTPD/OpenSMTPD/issues/1242>.
>
> The issue is easily replicable by sending a mail with a from as follows:
>
> 	From: "\"Doe, John\"" <op>
>
> smtpd mis-interprets the escapes inside the quoted name and turns it
> into:
>
> 	From: "\"Doe@localhost, John\"" <op>
>
> When smtpd reaches the comma it thinks it's the address separator and
> not part of the string.  This is caused since the \ is treated as
> literal in a quoted context and so \" closes the quoted string from
> smtpd point of view.
>
> If I'm reading RFC5322 correctly, it actually allows for escapes inside
> quotes.  Citing bits of the ABFN:
>
>    name-addr       =   [display-name] angle-addr
>    display-name    =   phrase
>    phrase          =   1*word / obs-phrase
>    word            =   atom / quoted-string
>    quoted-string   =   [CFWS] DQUOTE *([FWS] qcontent) [FWS] DQUOTE [CFWS]
>    qcontent        =   qtext / quoted-pair
>
> diff belows allows for handling of escapes in quoted strings.  It only
> affects how To, Cc and From headers are processed.

OK millert@

 - todd