[SM-CVS] SF.net SVN: squirrelmail: [12929] trunk/squirrelmail/class/deliver/Deliver. class.php

[<ki...@us...>]

Revision: 12929
          http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=12929&view=rev
Author:   kink
Date:     2008-02-10 08:21:46 -0800 (Sun, 10 Feb 2008)

Log Message:
-----------
improve message ID generation: put together a string based on user-data
(username, IP, remote port), serial data (time in ms) and randomness,
and put this all through a one-way hash. This makes the chance on
collisions unrealistically small, and at the same time prevents all
kinds of trouble when some vars are not available or contain non-allowed
information (like IPv6 addresses).

Modified Paths:
--------------
    trunk/squirrelmail/class/deliver/Deliver.class.php

Modified: trunk/squirrelmail/class/deliver/Deliver.class.php
===================================================================
--- trunk/squirrelmail/class/deliver/Deliver.class.php	2008-02-10 15:45:01 UTC (rev 12928)
+++ trunk/squirrelmail/class/deliver/Deliver.class.php	2008-02-10 16:21:46 UTC (rev 12929)
@@ -491,8 +491,10 @@
         global $domain, $username, $encode_header_key,
                $edit_identity, $hide_auth_header;
 
-        /* if server var SERVER_NAME not available, use $domain */
-        if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) {
+        /* if server var SERVER_NAME not available, or contains
+           ":" (e.g. IPv6) which is illegal in a Message-ID, use $domain */
+        if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER) ||
+            strpos($SERVER_NAME,':') !== FALSE) {
             $SERVER_NAME = $domain;
         }
 
@@ -506,16 +508,17 @@
 
         /* This creates an RFC 822 date */
         $date = date('D, j M Y H:i:s ', time()) . $this->timezone();
+
         /* Create a message-id */
-        $message_id = '<' . (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : '');
-//FIXME: if $REMOTE_ADDR is missing, should we skip this if/else block?  or perhaps try to generate it with some different kind of info?
-        if (isset($encode_header_key) && trim($encode_header_key)!='') {
-            // use encrypted form of remote address
-            $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key));
-        } else {
-            $message_id.= $REMOTE_ADDR;
-        }
-        $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>';
+        $message_id = '<';
+        /* user-specifc data to decrease collision chance */
+        $seed_data = $username . '.';
+        $seed_data .= (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : '');
+        $seed_data .= (!empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : '');
+        /* add the current time in milliseconds and randomness */
+        $seed_data .= uniqid(mt_rand(),true);
+        /* put it through one-way hash and add it to the ID */
+        $message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME .'>';
         $this->message_id = $message_id;
 
         /* Make an RFC822 Received: line */


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.