From bedeeaa4a7145cb6dabddf0e4377799f33d1f24b Mon Sep 17 00:00:00 2001 From: alhudz Date: Sun, 21 Jun 2026 17:59:09 +0530 Subject: [PATCH] smtp: reject CR and LF in the envelope address Verified in test 2110 Closes #22119 --- lib/smtp.c | 24 +++++++++++++++------ tests/data/Makefile.am | 2 +- tests/data/test2110 | 49 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 tests/data/test2110 diff --git a/lib/smtp.c b/lib/smtp.c index 2283f5e87d..e73e972555 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -250,16 +250,26 @@ static CURLcode smtp_parse_custom_request(struct Curl_easy *data, * calling function deems it to be) then the input will be returned in * the address part with the hostname being NULL. */ -static CURLcode smtp_parse_address(const char *fqma, char **address, - struct hostname *host, const char **suffix) +static CURLcode smtp_parse_address(struct Curl_easy *data, const char *fqma, + char **address, struct hostname *host, + const char **suffix) { CURLcode result = CURLE_OK; size_t length; char *addressend; + char *dup; + + /* A CR or LF in the address ends up verbatim in the MAIL FROM/RCPT TO + command line, so a crafted address could smuggle further SMTP commands + onto the wire. Reject it before the command is built. */ + if(strpbrk(fqma, "\r\n")) { + failf(data, "Refusing to send email address with a CR or LF"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } /* Duplicate the fully qualified email address so we can manipulate it, ensuring it does not contain the delimiters if specified */ - char *dup = curlx_strdup(fqma[0] == '<' ? fqma + 1 : fqma); + dup = curlx_strdup(fqma[0] == '<' ? fqma + 1 : fqma); if(!dup) return CURLE_OUT_OF_MEMORY; @@ -842,7 +852,7 @@ static CURLcode smtp_perform_command(struct Curl_easy *data, /* Parse the mailbox to verify into the local address and hostname parts, converting the hostname to an IDN A-label if necessary */ - result = smtp_parse_address(smtp->rcpt->data, + result = smtp_parse_address(data, smtp->rcpt->data, &address, &host, &suffix); if(result) return result; @@ -918,7 +928,7 @@ static CURLcode smtp_perform_mail(struct Curl_easy *data, /* Parse the FROM mailbox into the local address and hostname parts, converting the hostname to an IDN A-label if necessary */ - result = smtp_parse_address(data->set.str[STRING_MAIL_FROM], + result = smtp_parse_address(data, data->set.str[STRING_MAIL_FROM], &address, &host, &suffix); if(result) goto out; @@ -960,7 +970,7 @@ static CURLcode smtp_perform_mail(struct Curl_easy *data, /* Parse the AUTH mailbox into the local address and hostname parts, converting the hostname to an IDN A-label if necessary */ - result = smtp_parse_address(data->set.str[STRING_MAIL_AUTH], + result = smtp_parse_address(data, data->set.str[STRING_MAIL_AUTH], &address, &host, &suffix); if(result) goto out; @@ -1097,7 +1107,7 @@ static CURLcode smtp_perform_rcpt_to(struct Curl_easy *data, /* Parse the recipient mailbox into the local address and hostname parts, converting the hostname to an IDN A-label if necessary */ - result = smtp_parse_address(smtp->rcpt->data, + result = smtp_parse_address(data, smtp->rcpt->data, &address, &host, &suffix); if(result) return result; diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 3cc89e34f4..9311558e13 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -254,7 +254,7 @@ test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \ test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \ test2088 test2089 test2090 test2091 test2092 \ test2100 test2101 test2102 test2103 test2104 test2105 test2106 test2107 \ -test2108 test2109 test2113 \ +test2108 test2109 test2110 test2113 \ \ test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \ test2208 \ diff --git a/tests/data/test2110 b/tests/data/test2110 new file mode 100644 index 0000000000..6b48608c8b --- /dev/null +++ b/tests/data/test2110 @@ -0,0 +1,49 @@ + + + + +SMTP + + + +# Server-side + + + +# Client-side + + +smtp + + +SMTP --mail-from with embedded CRLF is rejected + + +From: different +To: another + +body + +# read the sender from a config file so the raw CR LF reaches curl intact +# regardless of how the platform passes command line arguments + +mail-from = "sender@example.com\r\nDATA" + + +smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com -K %LOGDIR/test%TESTNUMBER.config -T %LOGDIR/test%TESTNUMBER.eml + + + +# Verify data after the test has been "shot" + +# 43 - CURLE_BAD_FUNCTION_ARGUMENT + +43 + +# the injected DATA command must never reach the server + +EHLO %TESTNUMBER +QUIT + + +