# HG changeset patch
# User Kevin McCarthy <kevin@8t8.us>
# Date 1417472349 28800
#      Mon Dec 01 14:19:09 2014 -0800
# Node ID e8e07f3c08e5e83dbeb83ace6649c05042e5ff9c
# Parent  39d3ddb56d340f66ffd0fe476003645f4cdc30bc
# Change EMAIL_WSP to be space and tab  (references #3716)
#
# This patch fixes CVE-2014-9116 in the development branch, by changing
# EMAIL_WSP, skip_email_wsp(), and is_email_wsp() to define WSP as space
# and tab only.
#
# Michael reviewed [f251d523ca5a] and the code using these functions, and
# believes they all are used for unfolded headers.  Furthermore, it makes
# sense for WSP to match RFC5322.
#
# Thanks also to Antonio Radici and Tomas Hoger for their analysis and
# patches to mutt, which this patch is based off of.
diff --git a/lib.h b/lib.h
--- a/lib.h
+++ b/lib.h
@@ -93,17 +93,17 @@
 #define FMT_CENTER	-1
 
 #define FOREVER while (1)
 
 /* this macro must check for *c == 0 since isspace(0) has unreliable behavior
    on some systems */
 # define SKIPWS(c) while (*(c) && isspace ((unsigned char) *(c))) c++;
 
-#define EMAIL_WSP " \t\r\n"
+#define EMAIL_WSP " \t"
 
 /* skip over WSP as defined by RFC5322.  This is used primarily for parsing
  * header fields. */
 
 static inline char *skip_email_wsp(const char *s)
 {
   if (s)
     return (char *)(s + strspn(s, EMAIL_WSP));