Protect against RTLO attacks (#3609)

Protect against RTLO attackts
2026-05-14 04:16:30 +03:00 · 2023-04-07 10:36:37 +02:00
parent 36bec9c295
commit eed8e08145
7 changed files with 79 additions and 22 deletions
--- a/src/receive_imf.rs
+++ b/src/receive_imf.rs
@@ -37,7 +37,9 @@ use crate::reaction::{set_msg_reaction, Reaction};
 use crate::securejoin::{self, handle_securejoin_handshake, observe_securejoin_on_other_device};
 use crate::sql;
 use crate::stock_str;
-use crate::tools::{buf_compress, extract_grpid_from_rfc724_mid, smeared_time};
+use crate::tools::{
+    buf_compress, extract_grpid_from_rfc724_mid, smeared_time, strip_rtlo_characters,
+};
 use crate::{contact, imap};

 /// This is the struct that is returned after receiving one email (aka MIME message).
@@ -1077,7 +1079,7 @@ async fn add_parts(

    let mut created_db_entries = Vec::with_capacity(mime_parser.parts.len());

-    for part in &mime_parser.parts {
+    for part in &mut mime_parser.parts {
        if part.is_reaction {
            set_msg_reaction(
                context,
@@ -1093,6 +1095,7 @@ async fn add_parts(
        if is_system_message != SystemMessage::Unknown {
            param.set_int(Param::Cmd, is_system_message as i32);
        }
+
        if let Some(replace_msg_id) = replace_msg_id {
            let placeholder = Message::load_from_db(context, replace_msg_id).await?;
            for key in [
@@ -1681,7 +1684,7 @@ async fn apply_group_changes(
                        .sql
                        .execute(
                            "UPDATE chats SET name=? WHERE id=?;",
-                            paramsv![grpname.to_string(), chat_id],
+                            paramsv![strip_rtlo_characters(grpname), chat_id],
                        )
                        .await?;
                    send_event_chat_modified = true;