Bug 1506587 - Compact extraneous white space in display name to avoid sender address spoofing. r=jorgk
authorMagnus Melin <mkmelin+mozilla@iki.fi>
Fri, 16 Nov 2018 21:31:26 +0200
changeset 33724 8ca96cbae03df48764aae6ab431b91164f16fd9b
parent 33723 e19bd82baf3c10ea00b1fef5754b3e2021646609
child 33725 fa82003e8d33fd5e1759a7b183fc65c18ebb207f
push id388
push userclokep@gmail.com
push dateMon, 28 Jan 2019 20:54:56 +0000
reviewersjorgk
bugs1506587
Bug 1506587 - Compact extraneous white space in display name to avoid sender address spoofing. r=jorgk
mailnews/mime/jsmime/jsmime.js
mailnews/mime/jsmime/test/test_header.js
--- a/mailnews/mime/jsmime/jsmime.js
+++ b/mailnews/mime/jsmime/jsmime.js
@@ -816,23 +816,27 @@ function parseAddressingHeader(header, d
   function addToAddrList(displayName, addrSpec) {
     // Keep the local-part quoted if it needs to be.
     let lp = addrSpec.substring(0, addrSpec.lastIndexOf("@"));
     if (/[ !()<>\[\]:;@\\,"]/.exec(lp) !== null) {
       addrSpec = '"' + lp.replace(/([\\"])/g, "\\$1") + '"' +
                  addrSpec.substring(addrSpec.lastIndexOf("@"));
     }
 
+    // Replace consecutive whitespace in the name with a single whitespace.
+    displayName = displayName.replace(/\s\s+/g, " ");
+
     if (displayName === '' && lastComment !== '') {
       // Take last comment content as the display-name.
       let offset = lastComment[0] === ' ' ? 2 : 1;
       displayName = lastComment.substr(offset, lastComment.length - offset - 1);
     }
-    if (displayName !== '' || addrSpec !== '')
+    if (displayName !== '' || addrSpec !== '') {
       addrlist.push({name: displayName, email: addrSpec});
+    }
     // Clear pending flags and variables.
     name = localPart = address = lastComment = '';
     inAngle = inComment = needsSpace = false;
   }
 
   // Main parsing loop
   for (let token of getHeaderTokens(header, ":,;<>@",
         {qstring: true, comments: true, dliteral: true, rfc2047: doRFC2047})) {
--- a/mailnews/mime/jsmime/test/test_header.js
+++ b/mailnews/mime/jsmime/test/test_header.js
@@ -356,16 +356,19 @@ suite('headerparser', function () {
         [{name: "(c9(c10)c11)", email: "a@b.d"}]],
       ["(c3)a(c4)@(c5)b(c6).(c7)d(c8)(c9(c10)c11)",
         [{name: "c9(c10)c11", email: "a@b.d"}]],
       ["(c1)n(c2) <(c3)a(c4)@(c5)b(c6).(c7)d(c8)> (c9(c10)c11)(c12)",
         [{name: "(c1) n (c2) (c9(c10)c11) (c12)", email: "a@b.d"}]],
       ["<(c3)a(c4)@(c5)b(c6).(c7)d(c8)> (c9(c10)c11)(c12)",
         [{name: "(c9(c10)c11) (c12)", email: "a@b.d"}]],
       ["(c3)a(c4)@(c5)b(c6).(c7)d(c8)(c9(c10)c11)(c12)", [{name: "c12", email: "a@b.d"}]],
+      // Collapse extraneous whitespace.
+      ["Friend \"<friend@huhu.com>\"                                \t <ws@example.com>",
+        [{name: "Friend <friend@huhu.com>", email: "ws@example.com"}]],
     ];
     header_tests.forEach(function (data) {
       arrayTest(data, function () {
         assert.deepEqual(headerparser.parseAddressingHeader(data[0], false),
           data[1]);
       });
     });
   });