From: <ki...@us...> - 2008-02-10 16:21:52
|
Revision: 12929 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=12929&view=rev Author: kink Date: 2008-02-10 08:21:46 -0800 (Sun, 10 Feb 2008) Log Message: ----------- improve message ID generation: put together a string based on user-data (username, IP, remote port), serial data (time in ms) and randomness, and put this all through a one-way hash. This makes the chance on collisions unrealistically small, and at the same time prevents all kinds of trouble when some vars are not available or contain non-allowed information (like IPv6 addresses). Modified Paths: -------------- trunk/squirrelmail/class/deliver/Deliver.class.php Modified: trunk/squirrelmail/class/deliver/Deliver.class.php =================================================================== --- trunk/squirrelmail/class/deliver/Deliver.class.php 2008-02-10 15:45:01 UTC (rev 12928) +++ trunk/squirrelmail/class/deliver/Deliver.class.php 2008-02-10 16:21:46 UTC (rev 12929) @@ -491,8 +491,10 @@ global $domain, $username, $encode_header_key, $edit_identity, $hide_auth_header; - /* if server var SERVER_NAME not available, use $domain */ - if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) { + /* if server var SERVER_NAME not available, or contains + ":" (e.g. IPv6) which is illegal in a Message-ID, use $domain */ + if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER) || + strpos($SERVER_NAME,':') !== FALSE) { $SERVER_NAME = $domain; } @@ -506,16 +508,17 @@ /* This creates an RFC 822 date */ $date = date('D, j M Y H:i:s ', time()) . $this->timezone(); + /* Create a message-id */ - $message_id = '<' . (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : ''); -//FIXME: if $REMOTE_ADDR is missing, should we skip this if/else block? or perhaps try to generate it with some different kind of info? - if (isset($encode_header_key) && trim($encode_header_key)!='') { - // use encrypted form of remote address - $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)); - } else { - $message_id.= $REMOTE_ADDR; - } - $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>'; + $message_id = '<'; + /* user-specifc data to decrease collision chance */ + $seed_data = $username . '.'; + $seed_data .= (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : ''); + $seed_data .= (!empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : ''); + /* add the current time in milliseconds and randomness */ + $seed_data .= uniqid(mt_rand(),true); + /* put it through one-way hash and add it to the ID */ + $message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME .'>'; $this->message_id = $message_id; /* Make an RFC822 Received: line */ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |