Fix "'test@example.com' <test@example.com>" marked as spoofed

Make RFC833.MailboxAddress.has_distinct_name() consider substrings rather than straight-up string comparison. See #491
2019-07-06 14:38:05 +10:00 · 2019-07-06 14:38:05 +10:00 · bed1bad3ea
commit bed1bad3ea
parent 936c4aa402
2 changed files with 25 additions and 19 deletions
--- a/src/engine/rfc822/rfc822-mailbox-address.vala
+++ b/src/engine/rfc822/rfc822-mailbox-address.vala
@ -409,17 +409,19 @@ public class Geary.RFC822.MailboxAddress :
     * Determines if the name part is different to the address part.
     *
     * @return //true// if {@link name} is not empty, and the
-     * normalised name part and {@link address} are not equal when
-     * performing a case-insensitive comparison.
+     * normalised {@link address} part is not contained within the
+     * name part when performing a case-insensitive comparison.
     */
    public bool has_distinct_name() {
        string name = Geary.String.reduce_whitespace(this.name);
-        return (
-            !Geary.String.is_empty(name) &&
-            name.normalize().casefold() != Geary.String.reduce_whitespace(
-                this.address.normalize().casefold()
-            )
-        );
+        bool ret = false;
+        if (!Geary.String.is_empty(name)) {
+            string address = Geary.String.reduce_whitespace(
+                this.address.normalize()
+            );
+            ret = !(address.normalize().casefold() in name.casefold());
+        }
+        return ret;
    }

    /**
--- a/test/engine/rfc822-mailbox-address-test.vala
+++ b/test/engine/rfc822-mailbox-address-test.vala
@ -12,8 +12,9 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
        add_test("is_valid_address", is_valid_address);
        add_test("unescaped_constructor", unescaped_constructor);
        add_test("from_rfc822_string_encoded", from_rfc822_string_encoded);
-        add_test("is_spoofed", is_spoofed);
+        // latter depends on the former, so test that first
        add_test("has_distinct_name", has_distinct_name);
+        add_test("is_spoofed", is_spoofed);
        add_test("to_full_display", to_full_display);
        add_test("to_short_display", to_short_display);
        // latter depends on the former, so test that first
@ -151,6 +152,17 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
        }
    }

+    public void has_distinct_name() throws Error {
+        assert(new MailboxAddress("example", "example@example.com").has_distinct_name() == true);
+
+        assert(new MailboxAddress("", "example@example.com").has_distinct_name() == false);
+        assert(new MailboxAddress(" ", "example@example.com").has_distinct_name() == false);
+        assert(new MailboxAddress("example@example.com", "example@example.com").has_distinct_name() == false);
+        assert(new MailboxAddress(" example@example.com ", "example@example.com").has_distinct_name() == false);
+        assert(new MailboxAddress(" example@example.com ", "example@example.com").has_distinct_name() == false);
+        assert(new MailboxAddress("'example@example.com'", "example@example.com").has_distinct_name() == false);
+    }
+
    public void is_spoofed() throws Error {
        assert(new MailboxAddress(null, "example@example.com").is_spoofed() == false);
        assert(new MailboxAddress("", "example@example.com").is_spoofed() == false);
@ -161,6 +173,7 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
        assert(new MailboxAddress("test?", "example@example.com").is_spoofed() == false);
        assert(new MailboxAddress("test@example.com", "test@example.com").is_spoofed() == false);
        assert(new MailboxAddress("test@EXAMPLE.com", "test@example.com").is_spoofed() == false);
+        assert(new MailboxAddress("'example@example.com'", "example@example.com").is_spoofed() == false);

        assert(new MailboxAddress("test@example.com", "example@example.com").is_spoofed() == true);
        assert(new MailboxAddress("test @ example . com", "example@example.com").is_spoofed() == true);
@ -169,6 +182,7 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
        assert(new MailboxAddress("test", "example@\nexample@example.com").is_spoofed() == true);
        assert(new MailboxAddress("test", "example@example@example.com").is_spoofed() == true);

+
        try {
            assert(new MailboxAddress.from_rfc822_string("\"=?utf-8?b?dGVzdCIgPHBvdHVzQHdoaXRlaG91c2UuZ292Pg==?==?utf-8?Q?=00=0A?=\" <demo@mailsploit.com>")
                   .is_spoofed() == true);
@ -177,16 +191,6 @@ class Geary.RFC822.MailboxAddressTest : TestCase {
        }
    }

-    public void has_distinct_name() throws Error {
-        assert(new MailboxAddress("example", "example@example.com").has_distinct_name() == true);
-
-        assert(new MailboxAddress("", "example@example.com").has_distinct_name() == false);
-        assert(new MailboxAddress(" ", "example@example.com").has_distinct_name() == false);
-        assert(new MailboxAddress("example@example.com", "example@example.com").has_distinct_name() == false);
-        assert(new MailboxAddress(" example@example.com ", "example@example.com").has_distinct_name() == false);
-        assert(new MailboxAddress(" example@example.com ", "example@example.com").has_distinct_name() == false);
-    }
-
    public void to_full_display() throws Error {
        assert(new MailboxAddress("", "example@example.com").to_full_display() ==
               "example@example.com");