Only open regular files.

Fix various security related issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.

Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.

Added expandaddr option to explicitly enable this behavior.

0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.

Fixed.

0003. Make wordexp support mandatory. (No functional change.)

Fixed (replaced explicit shell pipe implementation).

0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:

Fixed (as part of the pipe replacement with wordexp).

branches: 1.42.10;
set close on exec for all opened files.

branches: 1.41.6;
- magic fix for short files
- knf
from Anon Ymous

From Anon Ymous:

- Remove all longjmp(3) calls from signal handlers. Instead, we post
to an internal signal queue and check that periodically. All signal
related code is now in sig.c, except for the SIGCHLD handler which
remains in popen.c as it is intimately tied to routines there.

- Handle SIGPIPE in type1() regardless of mime support, or else the
handler in execute() will prevent our error code from being returned
resulting in 'sawcom' not being set on the first command as it should.
This only affected the initial behavior of the "next" command without
mime support.

- Add the 'T' flag to many commands in cmdtab.c that should not look
like the first command. E.g., start mail on a mailbox with multiple
messages, run "set foo", then "next", and watch the second message get
displayed rather than the first as is the case without the first "set"
command.

- Add file descriptor and file handle leak detection. Enabled by
DEBUG_FILE_LEAK. This will likely disappear in the future.

- Fix a long standing (since import in 1993) longjmp() bug in
edstop(): the jmpbuf was invalid when quit() is called at the end of
main.

- Fix a long standing bug (since import in 1993) in snarf() where it
didn't strip whitespace correctly if the line consisted only of
whitespace.

- Lint cleanup.

- New Feature: "Header" command. This allows miscellaneous header
fields to be added to the header, e.g., "X-Organization:" or
"Reply-To:" fields.

- New Feature: "page-also" variable. This allows the specification of
additional commands to page. It is more flexible than "crt".

- Document the "pager-off" variable: if set, it disables paging
entirely.

branches: 1.39.14;
From Anon Ymous: Make this compile without MIME_SUPPORT.

From Anon Ymous:

- Add a "forward" command as requested by garbled@.
From the manpage:

forward
Takes a list of messages and prompts for an address (or
addresses) to forward each message to. If no message list is
specified, the current message is used. The mail editor is run
for each message allowing the user to enter a message that will
precede the forward message. The message is sent as a multi-
part/mixed MIME encoded message.

- Add the ability to match messages that do (or do not) contain a
header field. E.g., the command "f ! /Subject:" will display the
list of messages that are missing a "Subject" field.

- Teach savemail() to prefix fake headlines so the mbox doesn't get
broken.

- Fixed a couple of "bugs" in the attachment editing routine.

From Anon Ymous:
knf changes:
- s/sizeof x/sizeof(x)/.
- remove unnecessary malloc typecasts.
- whitespace nits.

From Anon Ymous:
- Add a "bounce" command as requested by garbled@.
From the manpage:

bounce Takes a list of messages and prompts for an address to bounce the
messages to. All the original header fields are preserved except
for the ``Delivered-To'', ``X-Original-To'' and ``Status''
fields. The new ``To'' field contains the bounce address(es)
plus any addresses in the old ``To'' field minus the user's local
address and any on the alternates list. (See the alternates com-
mand.)

From Anon Ymous:
- Introduce date_to_tm() and hl_date_to_tm() to parse the date and
headline date a bit more efficiently.
- If 'tm_isdst' is determined, let strftime(3) handle the '%Z' and
'%z' formats. Otherwise, output "-0000" and "???", respectively, to
help preserve with alignment; strftime(3) will output an empty
string in these case.
- Change fail() to use the '-d' flag (which sets the 'debug' variable)
rather than the "debug" _environment_ variable. This is more
consistent with other warnings.
- Don't use gcc C extensions, e.g., "case LOW ... HIGH:".
- Define is_WSP() in def.h to be an inline function that for checks
whitespace (WSP = ' ' or '\t'), as defined in RFC 2822. Use it
consistently in place of isblank().
- For consistency, rename skip_blank() to skip_WSP().
- Add inline skip_space() to complement skip_blank() (now skip_WSP).
- Check all ctype(3) calls for argument range issues.
- Whitespace and comment cleanup/changes.

branches: 1.34.4;
Add RCSID's to help files and centralize the function to cat the help files.

From Anon Ymous:

1) Statification of modules.

2) Implement the 'detach' and 'Detach' commands for extracting mime
parts from messages.

3) Teach mail to output "In-Reply-To" and "References" header fields
when replying so others can thread us.

4) Implement threading, sorting, and tagging, supported by the
following commands: 'flatten', 'reverse', 'sort', 'thread',
'unthread', 'down', 'tset', 'up', 'expose', 'hide', 'tag',
'untag', 'invtags', 'tagbelow', 'hidetags', 'showtags'.
See the manpage for details (when available - soon).

5) Implement a 'deldups' command to delete duplicate messages based on
their "Message-Id" field, e.g., in replies to a mailing list that
are also CCed to a subscriber. (This can also be accomplished with
the threading and tagging commands.)

6) Implement 'ifdef' and 'ifndef' commands, and make the conditionals
nestable (i.e., implement a conditional stack). The if/else/endif
commands existed before, but they were primitive and undocumented.
The 'if' command currently recognizes the "receiving", "sending",
and "headersonly" mode keywords.

7) Teach the message selecting routine to understand regular
expressions if "regex-search" is defined. Otherwise only case
insensitive substring matches are done (as in the past).

8) Teach the message selection routine to understand boolean
expressions. Improved "colon-modifier" support. See the manpage
for details (when available - soon).

9) Extend paging to all commands (where relevant).

10) Add shell like piping and redirection of (standard) output (if
"enable-piping" is defined). Extend completion to these contexts.

11) The manpage should follow soon!!!!

More fixes from Anon Ymous:


1) Removed the -B flag (it was stupid on my part) and added a short
description indicating how to accomplish the same thing under the
"Sending Mail" section of man mail(1).

2) Added a -H flag to dump the headers and exit. It takes optional
flags to restrict to old, new, read, unread, and deleted messages
(the later being kind of useless - it shares code with something
that already had it).

3) Restored the 'Save' command which somehow got mistakenly removed in
the last commit and add documentation for it! (My apologies to
its author.)

4) Added a 'mkread' command to mark messages as read (the inverse of
'unread'). Should we also have a 'mknew' command?

5) Added a 'smopts' command to keep a database of addresses and
sendmail options to be used when sending messages to those
addresses. See man mail(1) for a fuller description.

6) Added 'indentpreamble' and 'indentpostscript' variables whose
values are inserted before and after a quoted message (~m or ~M
escapes).
=20
7) Added string formatting abilities for the 'prompt', 'insertpreamble',
'insertpostscript', and header display strings. These strings
support all the strftime() format parameters as well as many more
specific to mail (see man mail(1)).

8) Fix the -a flag so that it only takes a single filename, unless
"mime-attach-list" is defined. This is more conventional and avoids
unexpected whitespace issues.

From our anonymous user:
- mime and character set handling
- command line editor and completion
- many code improvements

s/ReplyFrom/ReplyAsRecipient/ from our anonymous user.

Jumbo mail patch from our anonymous user:

1) Use editline [optional]:
Most of this code was borrowed from src/usr.bin/ftp. It does the
appropriate editing, history, and completion for all mail commands
(from cmdtab[]) and also does editing on header strings ('~h' inside
the mail editor).

2) '-B' flag:
This will suppress the "To:" line passed to sendmail. In most
configurations it will lead to sendmail adding "To: undisclosed
recipients;". Currently, AFAIK mail requires at least one exposed
recipient address.

3) Comments in rcfile:
Currently, comments in .mailrc are only supported if the first
(non-white) character on a line is '#' followed by white space,
i.e., '#' is a 'nop' command. This (trivial) patch allows the more
normal/expected use of '#' as a comment character. It does not
respect quoting, so that might be an objection which I should fix.

4) Sendmail option editing:
This adds the sendmail option string to the strings editable by the
'~h' command within the mail editor. Currently, you can only set
this string from the command-line, which is particularly annoying
when replying to mail.

5) Reply from:
When replying to a message, grab the "To:" address from the message
and, if there is only one such address and it does not match a list of
allowed addresses (set in the "ReplyFrom" variable), pass it to
sendmail as the "From:" address for the reply (with the '-f' option).
I often make aliases for myself so that my primary address is not
given out; if the alias gets out, I know who to blame. Unfortunately,
a reply to such a message would normally use the primary address
without this patch. A warning is displayed when this is going to
happen so that it can be modified with '~h'.

6) CC and BCC lists:
Allow '-c' and '-b' to accept white-space or ',' delimited lists.
Currently, a white-space delimited list of addresses work, but a
list of aliases will not get expanded. For example, currently:

mail -c "foo bar" christos

will fail to send mail to 'foo' and 'bar' if these are mail aliases
(in ~/.mailrc); sendmail aliases (in /etc/aliases) do work.

7) pipe command:
This pipes the current message into a shell command. I use this for
quick decoding of uuencoded mail, but I can imagine it might be
useful for decrypting encrypted mail, too.

8) show command:
This command takes a list of variables and shows their values. It
is probably stupid as the 'set' command without any argument
displays all variable values. Of course, if there are a lot of
variables you have to sift through the list for the one(s) you want.

PR/32964: Johan Veenhuizen: implement the unalias command

Pass lint completely.

WARNS=3

Simplify set(). No functional change.

Refix last delta's string copying edits

Defensively rewrite a string moving loop.
Constify.
Check for an allocation error.

Fix the broken "!" escape and "shell" (&-prompt) commands. These problems
were related to closed PR bin/21896, and to the 2003-3-29 code import.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.

bring in fixes from OpenBSD:
- use varargs properly.
- pid_t
- better handling of error conditions on forked jobs.

calloc() arg mistake. it's (nelem, size). from openbsd

only count header lines that are actually going to be displayed
when deciding whether to run $PAGER, otherwise it may start up the
pager for a two line message if all 55 header lines are the subject
of a .mailrc ignore command.

(And no, I don't find this program directly useful for reading
today's mail volumes, but it's great as a component run from wrapper
scripts, pretty good for scanning archived mail, and more than
adequate for sending mail.)

Use warn() instead of perror().

KNF: No space after casts.

Replace some more special pointers to zero (NIL, NONE, NOVAR, NOGRP, NOGE)
with NULL.

Don't use special null string pointer (NOSTR), just use NULL.

Rename variables to avoid shadowing.

ANSIfy, and minimal KNF.

fixes for PR 3886, 4719, 5424
mail is more consistent in a su'd environment
unset works if the variable is in the environment
fixed off by one error with 'z' scrolling

Get rid of commons.
Rename vfree() to v_free() to avoid conflict in out libc's vfree().

WARNSify, fix .Nm usage, deprecate register, use <err.h>

update printf formats to match type of line counts

NULL => 0 (Arne Juul; PR#3629)

Sync with 4.4BSD-Lite2

- Fix PR/105: Implement dot locking protocol and check return value of flock.
- Fix PR/2247: Don't call unknown users "ubluit". Issue an error message.
- Fix/add prototypes.
- Fix warnings.
- Use POSIX signal mask calls.
- RCSid police.

4.4-lite, plus our mods

cfree() is obsolete, use free()

Add RCS identifiers.

branches: 1.1.1;
Initial revision