From: Steffen Nurpmeso <steffen@sdaoden.eu>
Subject: Re: smtpd: allow escaping inside quotes
To: Omar Polo <op@omarpolo.com>
Cc: tech@openbsd.org, Martijn van Duren <martijn@openbsd.org>
Date: Mon, 29 Jan 2024 20:44:43 +0100

Hello Omar,

Omar Polo wrote in
 <3QKI2TQCPBATY.3I98EFOP5I7R6@venera>:
 |On 2024/01/23 00:00:52 +0100, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
 |> Omar Polo wrote in
 |>  <248HEPT7PIWVZ.2QV59XPHQ4YWJ@venera>:
 |>|A bug was filed for opensmtpd-portable regarding escape sequences inside
 |>|quotes in headers: <https://github.com/OpenSMTPD/OpenSMTPD/issues/1242>.
 |>|
 |>|The issue is easily replicable by sending a mail with a from as follows:
 |>|
 |>| From: "\"Doe, John\"" <op>
 |>  ...
 |> I am currently writing a RFC 5322 parser (for a simple DKIM signer
 ...
 |> Please see below some test cases to try out.  Note some come from
 |> the RFC 822, 5322 standard (drafts).  I could imagine OpenSMTPD to
 |> fail for some, martijn's thing does for sure.
 ...
 |Thanks for providing some test cases.

There are even more for my final (since Friday) implementation, as
posted in private.

 |Currently, smtpd needs are pretty small.  If you take a look at
 |rfc5322.c you'll see that it mostly handles folding, the headers are
 |left as-is.  Later, in smtp_session.c, header_domain_append_callback()
 |is used to turn stuff like ``From: <op>'' to ``From: <op@localhost>'',
 |and that function is only used for To, Cc and From.

"Only" is good, these cover almost the full spectrum of address
parser use cases.  And well i cannot comment on that, the opendkim
parser from Sendmail i posted is also very small and pretty good,
at least for valid input.  (Regarding smtp_session.c, if *i*
personally see lots of successive identical "... && !x && !y" my
brain quits.  And for "found a separator, buffer contains a full
address" i am pressing thumbs.)

 |However, I think it would be a good idea to start building up a regress
 |suite for stuff like this.  I know that Gilles had one (including a
 |branch that was simulating random failures in various places IIRC), but
 |there's nothing easy to try out in /usr/src/regress/.

Ciao,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)