You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2021/01/19 18:58:17 UTC

[Bug 7880] New: Can't call method "name" on an undefined value at lib/Mail/SpamAssassin/Message/Node.pm line 533 (nullref exception)

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7880

            Bug ID: 7880
           Summary: Can't call method "name" on an undefined value at
                    lib/Mail/SpamAssassin/Message/Node.pm line 533
                    (nullref exception)
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Libraries
          Assignee: dev@spamassassin.apache.org
          Reporter: jhardin@impsec.org
  Target Milestone: Undefined

r1864393 introduced a nullref weakness in a Node.pm debug message that triggers
when a UTF-16 header (or, presumably, body part) is too short for
detect_utf16() to be able to detect the endianness from the encoded data (or,
presumably, when it cannot detect the endianness for some other reason).

This occurs even if the UTF-16 data includes a BOM.

3.4 does not have this nullref weakness as the debug message change was not
backported.

Repro: Put this header in a test message:

  From:=?UTF-16?B?//492Enc?= DermaCorrect <@ewFXg.maclostech320.xyz;live.de;>

(note: malformed header is verbatim from actual spam)

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7880] Can't call method "name" on an undefined value at lib/Mail/SpamAssassin/Message/Node.pm line 533 (nullref exception)

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7880

John Hardin <jh...@impsec.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |jhardin@impsec.org
             Status|NEW                         |RESOLVED

--- Comment #1 from John Hardin <jh...@impsec.org> ---

1. Modify test data to include a "short UTF-16" header case observed
in-the-wild that triggered this bug, verify test on unmodified Node.pm fails.
2. Modify Node.pm _normalize() to behave safely if detect_utf16() cannot
determine the endianness of the data.
3. Modify detect_utf16() to skip the data scan if a BOM is present (for
efficiency, as Perl's UTF-16 decoder will figure out the endianness from the
BOM)
4. Verify test from 1 now passes
5. Verify example from bug 7252 still works properly

Modified: .../trunk/lib/Mail/SpamAssassin/Message/Node.pm
Modified: .../trunk/t/data/nice/unicode2
Committed revision 1885696.

-- 
You are receiving this mail because:
You are the assignee for the bug.