[geeklog-devel] [geeklog-cvs] Geeklog-1.x/public_html profiles.php, 1.54, 1.55

Michael Jervis mjervis at gmail.com
Thu Feb 21 10:39:05 EST 2008 

>  >Because a newline can not legitimately be submitted from an input
>  >type="text", nor would anyone try and insert one unless one was an
>  >evil h4x0r.

This still stands, it can only (without resorting to super-human
levels of asshat) have come from malicious input.

>  I figured out why I didn't notice it was an email subject--
>
>  +             $subject = htmlspecialchars (trim ($subject), ENT_QUOTES);
>
>  Why call htmlspecialchars on an email subject? I know it's copied
>  code. Doesn't mean the original code is correct.

Because we don't want an XSS attack to be made possible by crafting a
URL that opens the email user screen in "redisplay" mode with meanness
in place.

>  Oh, and according to RFC2822 section 2.2.3, CRLF is allowed in a
>  subject as long as it is at the front of other white space.

You have misread the RFC. The RFC permits you to insert CRLF's into
the subject for display provided it's at an appropriate whitespace
juncture to allow for display on width restricted systems:

Each header field is logically a single line of characters comprising
   the field name, the colon, and the field body.  For convenience
   however, and to deal with the 998/78 character limitations per line,
   the field body portion of a header field can be split into a multiple
   line representation; this is called "folding".  The general rule is



Resnick                     Standards Track                     [Page 7]


RFC 2822                Internet Message Format               April 2001


   that wherever this standard allows for folding white space (not
   simply WSP characters), a CRLF may be inserted before any WSP.  For
   example, the header field:

           Subject: This is a test

   can be represented as:

           Subject: This
            is a test

   Note: Though structured field bodies are defined in such a way that
   folding can take place between many of the lexical tokens (and even
   within some of the lexical tokens), folding SHOULD be limited to
   placing the CRLF at higher-level syntactic breaks.  For instance, if
   a field body is defined as comma-separated values, it is recommended
   that folding occur after the comma separating the structured items in
   preference to other places where the field could be folded, even if
   it is allowed elsewhere.

   The process of moving from this folded multiple-line representation
   of a header field to its single line representation is called
   "unfolding". Unfolding is accomplished by simply removing any CRLF
   that is immediately followed by WSP.  Each header field should be
   treated in its unfolded form for further syntactic and semantic
   evaluation.

More information about the geeklog-devel mailing list