1 # Copyright (C) 2013, Eric Wong <normalperson@yhbt.net> and all contributors
2 # License: AGPLv3 or later (https://www.gnu.org/licenses/agpl-3.0.txt)
4 # This only exposes one function: run
5 # Note: the settings here are highly opinionated. Obviously, this is
6 # Free Software (AGPLv3), so you may change it if you host yourself.
7 package PublicInbox::Filter;
11 use Email::MIME::ContentType qw/parse_content_type/;
14 our $VERSION = '0.0.1';
16 # start with the same defaults as mailman
17 our $BAD_EXT = qr/\.(?:exe|bat|cmd|com|pif|scr|vbs|cpl)\z/i;
19 # this is highly opinionated delivery
20 # returns 0 only if there is nothing to deliver
22 my ($class, $simple) = @_;
24 my $content_type = $simple->header("Content-Type") || "text/plain";
26 # kill potentially bad/confusing headers
27 # Note: ssoma already does this, but since we mangle the message,
28 # we should do this before it gets to ssoma.
29 foreach my $d (qw(status lines content-length)) {
30 $simple->header_set($d);
33 if ($content_type =~ m!\btext/plain\b!i) {
34 return 1; # yay, nothing to do
35 } elsif ($content_type =~ m!\btext/html\b!i) {
36 # HTML-only, non-multipart
37 my $body = $simple->body;
38 my $ct_parsed = parse_content_type($content_type);
39 dump_html($body, $ct_parsed->{attributes}->{charset});
40 replace_body($simple, $body);
42 } elsif ($content_type =~ m!\bmultipart/!i) {
43 return strip_multipart($simple, $content_type);
45 replace_body($simple, "$content_type message scrubbed");
51 my ($simple, $part, $type) = ($_[0], $_[1], $_[3]);
52 # don't copy $_[2], that's the body (it may be huge)
54 # Email::MIME insists on setting Date:, so just set it consistently
55 # to avoid conflicts to avoid git merge conflicts in a split brain
57 unless (defined $part->header('Date')) {
58 my $date = $simple->header('Date') ||
59 'Thu, 01 Jan 1970 00:00:00 +0000';
60 $part->header_set('Date', $date);
63 $part->charset_set(undef);
64 $part->name_set(undef);
65 $part->filename_set(undef);
66 $part->format_set(undef);
67 $part->encoding_set('8bit');
68 $part->disposition_set(undef);
69 $part->content_type_set($type);
70 $part->body_set($_[2]);
73 # converts one part of a multipart message to text
74 sub html_part_to_text {
75 my ($simple, $part) = @_;
76 my $body = $part->body;
77 my $ct_parsed = parse_content_type($part->content_type);
78 dump_html($body, $ct_parsed->{attributes}->{charset});
79 replace_part($simple, $part, $body, 'text/plain');
82 # modifies $_[0] in place
84 my $charset = $_[1] || 'US-ASCII';
85 my $cmd = "lynx -stdin -dump";
87 # be careful about remote command injection!
88 if ($charset =~ /\A[A-Za-z0-9\-]+\z/) {
89 $cmd .= " -assume_charset=$charset";
92 my $pid = open2(my $out, my $in, $cmd);
102 # this is to correct user errors and not expected to cover all corner cases
103 # if users don't want to hit this, they should be sending text/plain messages
104 # unfortunately, too many people send HTML mail and we'll attempt to convert
105 # it to something safer, smaller and harder-to-track.
106 sub strip_multipart {
107 my ($simple, $content_type) = @_;
108 my $mime = Email::MIME->new($simple->as_string);
114 # scan through all parts once
115 $mime->walk_parts(sub {
117 return if $part->subparts; # walk_parts already recurses
119 # some extensions are just bad, reject them outright
120 my $fn = $part->filename;
121 if (defined($fn) && $fn =~ $BAD_EXT) {
126 my $part_type = $part->content_type;
127 if ($part_type =~ m!\btext/plain\b!i) {
129 } elsif ($part_type =~ m!\btext/html\b!i) {
131 } elsif ($part_type =~ m!\btext/[a-z0-9\+\._-]+\b!i) {
132 # Give other text attachments the benefit of the doubt,
133 # here? Could be source code or script the user wants
138 # reject everything else
140 # Yes, we drop GPG/PGP signatures because:
141 # * hardly anybody bothers to verify signatures
142 # * we strip/convert HTML parts, which could invalidate
144 # * they increase the size of messages greatly
145 # (especially short ones)
146 # * they do not compress well
148 # Instead, rely on soft verification measures:
149 # * content of the message is most important
150 # * we encourage Cc: all replies, so replies go to
151 # the original sender
152 # * Received, User-Agent, and similar headers
153 # (this is also to encourage using self-hosted mail
154 # servers (using 100% Free Software, of course :)
156 # Furthermore, identity theft is uncommon in Free/Open
157 # Source, even in communities where signatures are rare.
162 if ($content_type =~ m!\bmultipart/alternative\b!i) {
163 if (scalar @keep == 1) {
164 return collapse($simple, $keep[0]);
166 } else { # convert HTML parts to plain text
167 foreach my $part (@html) {
168 html_part_to_text($simple, $part);
174 @keep = (Email::MIME->create(
176 content_type => 'text/plain',
177 charset => 'US-ASCII',
180 body_str => 'all attachments scrubbed by '. __PACKAGE__
184 if (scalar(@html) || $rejected) {
185 $mime->parts_set(\@keep);
186 $simple->body_set($mime->body_raw);
187 mark_changed($simple);
195 $simple->header_set("X-Content-Filtered-By", __PACKAGE__ ." $VERSION");
199 my ($simple, $part) = @_;
200 $simple->header_set("Content-Type", $part->content_type);
201 $simple->body_set($part->body_raw);
202 mark_changed($simple);
208 $simple->body_set($_[1]);
209 $simple->header_set("Content-Type", "text/plain");
210 if ($simple->header("Content-Transfer-Encoding")) {
211 $simple->header_set("Content-Transfer-Encoding", undef);
213 mark_changed($simple);