[geary/wip/491-email-spoofing-case] Fix "'test example com' <test example com>" marked as spoofed
- From: Michael Gratton <mjog src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [geary/wip/491-email-spoofing-case] Fix "'test example com' <test example com>" marked as spoofed
- Date: Sat, 6 Jul 2019 04:40:55 +0000 (UTC)
commit bed1bad3ea0250d6d3998fcee8204f66bc4b7636
Author: Michael Gratton <mike vee net>
Date: Sat Jul 6 14:38:05 2019 +1000
Fix "'test example com' <test example com>" marked as spoofed
Make RFC833.MailboxAddress.has_distinct_name() consider substrings
rather than straight-up string comparison.
See #491
src/engine/rfc822/rfc822-mailbox-address.vala | 18 ++++++++++--------
test/engine/rfc822-mailbox-address-test.vala | 26 +++++++++++++++-----------
2 files changed, 25 insertions(+), 19 deletions(-)
---
diff --git a/src/engine/rfc822/rfc822-mailbox-address.vala b/src/engine/rfc822/rfc822-mailbox-address.vala
index 448c6c9c..07560000 100644
--- a/src/engine/rfc822/rfc822-mailbox-address.vala
+++ b/src/engine/rfc822/rfc822-mailbox-address.vala
@@ -409,17 +409,19 @@ public class Geary.RFC822.MailboxAddress :
* Determines if the name part is different to the address part.
*
* @return //true// if {@link name} is not empty, and the
- * normalised name part and {@link address} are not equal when
- * performing a case-insensitive comparison.
+ * normalised {@link address} part is not contained within the
+ * name part when performing a case-insensitive comparison.
*/
public bool has_distinct_name() {
string name = Geary.String.reduce_whitespace(this.name);
- return (
- !Geary.String.is_empty(name) &&
- name.normalize().casefold() != Geary.String.reduce_whitespace(
- this.address.normalize().casefold()
- )
- );
+ bool ret = false;
+ if (!Geary.String.is_empty(name)) {
+ string address = Geary.String.reduce_whitespace(
+ this.address.normalize()
+ );
+ ret = !(address.normalize().casefold() in name.casefold());
+ }
+ return ret;
}
/**
diff --git a/test/engine/rfc822-mailbox-address-test.vala b/test/engine/rfc822-mailbox-address-test.vala
index b6e30789..ceb32381 100644
--- a/test/engine/rfc822-mailbox-address-test.vala
+++ b/test/engine/rfc822-mailbox-address-test.vala
@@ -12,8 +12,9 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
add_test("is_valid_address", is_valid_address);
add_test("unescaped_constructor", unescaped_constructor);
add_test("from_rfc822_string_encoded", from_rfc822_string_encoded);
- add_test("is_spoofed", is_spoofed);
+ // latter depends on the former, so test that first
add_test("has_distinct_name", has_distinct_name);
+ add_test("is_spoofed", is_spoofed);
add_test("to_full_display", to_full_display);
add_test("to_short_display", to_short_display);
// latter depends on the former, so test that first
@@ -151,6 +152,17 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
}
}
+ public void has_distinct_name() throws Error {
+ assert(new MailboxAddress("example", "example example com").has_distinct_name() == true);
+
+ assert(new MailboxAddress("", "example example com").has_distinct_name() == false);
+ assert(new MailboxAddress(" ", "example example com").has_distinct_name() == false);
+ assert(new MailboxAddress("example example com", "example example com").has_distinct_name() ==
false);
+ assert(new MailboxAddress(" example example com ", "example example com").has_distinct_name() ==
false);
+ assert(new MailboxAddress(" example example com ", "example example com").has_distinct_name() ==
false);
+ assert(new MailboxAddress("'example example com'", "example example com").has_distinct_name() ==
false);
+ }
+
public void is_spoofed() throws Error {
assert(new MailboxAddress(null, "example example com").is_spoofed() == false);
assert(new MailboxAddress("", "example example com").is_spoofed() == false);
@@ -161,6 +173,7 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
assert(new MailboxAddress("test?", "example example com").is_spoofed() == false);
assert(new MailboxAddress("test example com", "test example com").is_spoofed() == false);
assert(new MailboxAddress("test EXAMPLE com", "test example com").is_spoofed() == false);
+ assert(new MailboxAddress("'example example com'", "example example com").is_spoofed() == false);
assert(new MailboxAddress("test example com", "example example com").is_spoofed() == true);
assert(new MailboxAddress("test @ example . com", "example example com").is_spoofed() == true);
@@ -169,6 +182,7 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
assert(new MailboxAddress("test", "example@\nexample example com").is_spoofed() == true);
assert(new MailboxAddress("test", "example@example example com").is_spoofed() == true);
+
try {
assert(new
MailboxAddress.from_rfc822_string("\"=?utf-8?b?dGVzdCIgPHBvdHVzQHdoaXRlaG91c2UuZ292Pg==?==?utf-8?Q?=00=0A?=\"
<demo mailsploit com>")
.is_spoofed() == true);
@@ -177,16 +191,6 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
}
}
- public void has_distinct_name() throws Error {
- assert(new MailboxAddress("example", "example example com").has_distinct_name() == true);
-
- assert(new MailboxAddress("", "example example com").has_distinct_name() == false);
- assert(new MailboxAddress(" ", "example example com").has_distinct_name() == false);
- assert(new MailboxAddress("example example com", "example example com").has_distinct_name() ==
false);
- assert(new MailboxAddress(" example example com ", "example example com").has_distinct_name() ==
false);
- assert(new MailboxAddress(" example example com ", "example example com").has_distinct_name() ==
false);
- }
-
public void to_full_display() throws Error {
assert(new MailboxAddress("", "example example com").to_full_display() ==
"example example com");
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
